scan this ip, see what port it open and what service running on it.
scan those port and see what version is the service, what OS system is this PC and try search any we can used script for those service.
http
80
rpcbind
111
ssh
777
80/http
try scan this website
some path contain about phpinfo or others, maybe it is the way.
we also can access their admin login page.
and we can see what version is for this PHP
search any vulnerability we can used
according the result, maybe we can use 35539, although it looks like a DDOS, but the version is most suitable.
after build payload and use it, nothing happened, so chose an other way to try one more time.
After 1 days, i had tied almost every methods in searchsploit, but it doesn’t work, i want to change the target to RPCBIND which is port 111, but i tried search in searchsploit and google, all of them shows me that only included DDOS but i don’t know what is the related between DDOS and get the access.Maybe i need to give up, since i don’t have more knowledge to support me to find out others clue.
Hit 1
After see a hit from redteamnote, i can continue for my journey.
we can see there is a photo in the main website, we can try if any info inside the photo.
wget http://192.168.56.104/main.gif
after checked, a suspicious info behind of the metadata of the photo.
kzMb5nVYJw
and we can try as password of the phpmyadmin or ssh, but none of them are true one.
Hit 2
Turns out it is a PATH!!!!!!
Code say the key isn’t difficult, so we can use hydra to have a try.
analyze the request method via burpsuite and struct the command.
