Date
Mar 8, 2025 → Mar 8, 2025
Tag
Nmap
Web Exploitation
Credential Harvesting
Nmap

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 07:13 EST
Nmap scan report for 192.168.104.23
Host is up (0.14s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 93.15 seconds
80

Username should be admin since the content of this post.
Username : admin
dirb

try admin:admin, we logon


try use searchsploit and find out these have several POC, we can try 50978


so we can use command python3

use /usr/share/webshells/php/php-reverse-shell.php upload it
and acccess the path

got it

得知codo的数据库配置在config.php里

获得数据库密码
config = array (
'driver' => 'mysql',
'host' => 'localhost',
'database' => 'codoforumdb',
'username' => 'codo',
'password' => 'FatPanda123',
'prefix' => '',
'charset' => 'utf8',
'collation' => 'utf8_unicode_ci'
使用这个password我们进去了root的终端拿到了flag
