Don’t give up on first upload.
On visiting the page we find index page which says It works
Running a gobuster scan shows us: 1) index 2)test3) torrent ,directories. Visiting test shows php config page. Torrent shows us dashboard to Torrent Hoster.
It has option to login and register. Let’s register
Gives you an option to upload. So we first download one file available in browse page — kali.torrent as sample and will try to upload it
After successful upload we will edit this torrent file to upload shell. First make a php shell file
Making some changes in request using burp let’s upload this.
Using exploit/multi/handler module on msfconsole , we can get reverse shell
Now going to home of www-data we find a folder torrent, containing database. Enumerating the sql file we get admin password.
Username : admin && Password : admin12.
These credentials worked no where … Suxxxxxx!! So I went back to home dir of www-data where I found .cache -> /etc/passwd
Opening /etc/passwd, I got a credential for toor. But since we don’t have access to /etc/shadow we cannot crack it. Shattered once again.
After a lots of trial and error . Nothing worked so I decided to check kernel exploits for Linux.
Linux Kernel <= 2.6.37 local privilege escalation
Linux Kernel exploit full-nelson.c . I tried running privilege exploit for linux kernel . Refer: https://www.exploit-db.com/exploits/15704
Just get it on your machine, then transfer to target machine and compile. Finally run it