Quackerjack 🔸

Enumeration

At port 8081 we have a rconfig service

Searching for an exploit we find

Initial Access

The problem is that the final step, the executiong of the reverse shell is not working

So we are gonna use the created user and use another exploit from the inside.

https://gist.github.com/FlatL1neAPT/c2a339ca76d0db05a281f2e6e77ad56c

So upload in vendors a shell.php, capture the request with caido and put image/gif in content-type, then go to /images/vendor/shell.php to get a reverse shell.

Get the flag

Privilege Escalation

Get credentials

Inside mysql we have the admin user

Using hashcat

Looking for suid we have find

Post Exploitation

Get the flag