PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.158.15 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/admin (Status: 200) [Size: 417]
/.hta (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 201]
/server-status (Status: 403) [Size: 279]
At the end of the View Source on /admin we found one comment:
<!--passphrase:harder-->
Only these? Nothing else?!! So we have to go back to basics and enumerate with another wordlist
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.15/> -w /usr/share/wordlists/dirb/big.txt -q -t 200 -x php
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/admin (Status: 200) [Size: 417]
/index.php (Status: 200) [Size: 201]
/server-status (Status: 403) [Size: 279]
/superadmin.php (Status: 200) [Size: 152]
Just found out /dirb/big.txt could be useful than dirbuster medium list
Whenever we submit the Query its super duper slow but bare with it
Besides using /dirb/big.txt, there is another way to get superadmin.php
This Spiderman named haclabs.jpg is one of the images from /admin page.
┌──(kali㉿VirtualBox)-[~]
└─$ steghide extract -sf haclabs.jpeg
Enter passphrase:
wrote extracted data to "imp.txt".
┌──(kali㉿VirtualBox)-[~]
└─$ cat imp.txt
c3VwZXJhZG1pbi5waHA=
┌──(kali㉿VirtualBox)-[~]
└─$ echo "c3VwZXJhZG1pbi5waHA=" | base64 --decode
superadmin.php
Since this is another ping host website maybe we can do some command injection, base on our TryHackMe King aldeid he has this page explaining command injection to shell