Recon

First, we use the command ping to identify if the machine is a Linux machine or Windows machine.

Look at ttl and remember if ttl is near to 64 is a Linux machine and if ttl is near to 128 is a Windows machine.

So we are before a linux machine.

Lets start with the nmap scan, launch a nmap scan to see the open ports on the machine, by default nmap use the TCP protocol, exists other protocols like UDP, but first and in the majority of cases use TCP scan at first as follows:

Once we have the open ports we need to know the services and version are running on the ports we use the next command and basic scripts recognizion on nmap:

We found a port 80 open with Apache, probably it's a web page with a login, check it out on browser.

and of course we see a login form, let's test with some values like 'admin' 'admin', 'guess' 'guess' and either work.

We use GoBuster and a Wordlist called SecList yo can download it hereto brute force enumerate some directories:

And we found nothing.

So we can try with a simple SQL Injection

Flag

Remember in SQL you can comment a line with the following character "#" We can use it to try with something with the admin user:

if the site use php may have vulnerabilities with sql when it have bad configs, so we can take adventage of that and list the users in it if doesn't works with admin user you can try another users like root or john_doe or in another cases you can bruteforce that but for this machine is waste of time, remember start with simple and work your way up to the complicated.

And Congratulations you have pwned the machine!