An nmap scan shows ports 22 and 80 were open.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-27.png)
Through directory fuzzing a login screen was found.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-26-1024x675.png)
Another interesting file was also found for mysql.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-31.png)
After opening the directory we are brought to a file.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-30.png)
Downloading and opening the contents of the file shows us some interesting results. Admin or manager could be a username, but it also looks like there’s a password hash. Going to Crackstation and inputting the information gives us a password to use for the site.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-32.png)
A vulnerability in SweetRice version 1.5.1 allows unrestricted file uploads through Media Center.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-29.png)
This vulnerability allowed for a reverse shell on the machine.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-33-1024x224.png)
The sudo -l command shows that a couple of items can run as sudo. The backup.pl file has code that runs another file (etc/copy.sh) Rewriting the /etc/copy.sh and running backup.pl through perl and sudo should give a reverse shell as root.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-28.png)