1. Host found
2. Port scanning
3. Access port 80 to see
Is a login window and found no useful information, sqlmap try to run a bit, no results
4. Scan directory
Dirbuster scan comes with kali
As more fully into account, and use dirb scan
In order to access a look
There may file contains, try to look at / etc / passwd
Open and found two users are root, ica
Direct access c.php a blank page, and therefore still read a file before
Try scanned before the directory page phpmy login to see prompt information see PHP configuration file
Successful login, the user name found: biLLu Password: hEx_it
Home Login Try
Successful login, jump to panel.php page, you can add users and view user
PHP default configuration file config.inc.php, Linux system path combined phpmy, files should be in / var / www / phpmy /, with a view burp
Get a username root, password roottoor
5. Obtain shell and provide the right : As the drone opened the ssh service, try a direct connection
Successful login, viewing permissions
At this point, mention the right to succeed!
Note: You can also rebound shell way to get by uploading pictures horse shell, and mention the right (that is a bit cumbersome)