Enumeration
Starting off with a little nmap, we see SSH and HTTP open.
A quick check for OpenSSH v7.6p1 vulnerabilities doesn’t seem to give us anything, so let’s move on to port 80.
At first glance, there are just a bunch of images on the site - nothing too interesting. Of note in the source code, however, are references to images located in images/uploads. This will be useful later.
Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.
Next, in the bottom left corner there is a login button which will presumably let us upload images, so let’s try that.
Foothold
Now, we are presented with a very simple login dialog box. The login process appears to be pretty standard in that it POSTs a username and password to the PHP backend.
Since we don’t know the username or password, let’s try SQL injection in both fields. The idea here is that the PHP code in the back may look something like this:
...