Enumeration
Let’s start with NMAP scan.
- SSH [22]
OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
No possible Exploit for this.
- HTTP [80]
Edit the /etc/hosts and add this sub domain.
- MySQL
No Exploit or default or Weak passwords.
More Enumeration
- Let’s see the job.empline.thm
Searched in google, and found a blog which gives an XXE.
by following the same process, i got the credentials from config.php
Let’s use the credentials to login to MySQL.
let’s crack the md5 hash of george with john. Use the same creds with SSH to login as george.
You can find the user.txt in george home folder.
Privilege Escalation
From the linpeas output i found a misconfig,
let’s exploit it.
