33033

So we see that the usernames are given to us, and some of them give us a hint as to which is the right word for the password reset prompt.

With the jerry.devops username we were able to reset the password because the user's favorite word was "paranoid", which is something he hinted in the main page. We reset the password and we had access to this account.

Once we clicked on the experimental link on the bottom of the website we were greeted by another page, one that is vulnerable to SQLi

To test for SQL injection I just typed ' . This broke the application, and we were then able to get a shell through SQL injection. This was new to me, I have never thought about this before but this technique is something I will note and use for the future.

If we remember correctly based on the phpinfo.php from the other ports we are able to see where the webserver is being hosted at.

Knowing this, using SQL injection we are able to get a shell using the following query.

' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/command.php'  -- -' 

After I had to play with the ports to see where the file was being stored at.