1. Enumeration:
- Nmap scan:
Web Enumeration:
checking robots.txt » found this /admin-dir
visiting /admin-dir/credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
Gobuster:
$gobuster dir -w /usr/share/golismero/wordlist/fuzzdb/Discovery/PredictableRes/raft-medium-directories.txt -u 10.10.10.187/admin-dir/ -x php,txt -s 200
revealed this /contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb
##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htb
FTP enumeration:
logging in with ftpuser and password: %n?4Wz}R$tTF7
login succeeded , let’s dump these files:
$ wget --user ftpuser --password '%n?4Wz}R$tTF7' -m ftp://10.10.10.187
So we downloaded the files dump.sql and html.tar.gz
- dump.sql » has nothing useful
- index.php:
$servername = "localhost";
$username = "waldo";
$password = "]F7jLHw:*G>UPrTo}~A"d6b";
$dbname = "admirerdb";
- looking in
w4ld0s_s3cr3t_d1r:
[Bank Account]
waldo.11
Ezy]m27}OREc$
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
looking in /utility-scripts/db_admin.php:
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";
checking /utility-scripts:
Gobuster again:
$ gobuster dir -u http://10.10.10.187/utility-scripts/ -w /usr/share/dirb/wordlists/big.txt -t 30 -x php,txt -s 200
found this /adminer
