Rce

  • Published on
    RaspberryPi device that ran PiHole, which had default credentials. Once foothold was obtained, root was a simple sudo -l.
  • Published on
    Eventually landed upon finding SQLi on /room.php?cod=, so we dump databases with sqlmap. Foothold is a simple phpMyAdmin credential login, then a phpMyAdmin 4.8.0 exploit to gain a shell. Root was obtained from exploiting root.service.
  • Published on
    Apache misconfiguration that allowed me to gain foothold by bypassing a MIME upload, then I executed RCE to shell. For root, there was a changename.sh file which cleaned up the uploads directory, but I changed it to give root.
  • Published on
    Connect via IPSEC VPN to get access to the host, clues from SNMP to get connected, found out its a Windows host, uploaded a webshell via FTP, then privesc with JuicyPotato.