SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory.  Right off the bat, I figured that wasn't there by accident and I started Googling to find more information.  After a minute or so, I discovered a post titled:  "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.

While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines.  A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.

Anyway, I kick off with an Nmap scan:

I was tasked with searching for data within Word and Excel files similar to something I'd written a while back but an expansion of that original request.  Instead of searching for a specific term within the filename, we are now searching inside of the files looking for a specific phrase.  When I was finished, I gained some additional knowledge -- some good and some not so good.  I started out with a myopic mindset but realized the gravity of the situation once I moved from my test environment to the live system.

That's not to say that it doesn't work so let's walk through the test situation and then I can elaborate on the issues.

We start off with our test folder which contains a dozen or so Excel files.  Within a couple of those Excel files, I've inserted a username and password.  In one of the folders, I've created a subfolder to ensure the -Recurse function was working.  

I stumbled upon a vulnerable version of Oop CMS Blog which according to Exploit-DB is vulnerable to SQL Injection.  In order to better understand what I was dealing with, I downloaded the software and I installed it on the same operating system as the target server.  Looking at the comments on Exploit-DB, the injection points seemed relatively easy and I thought this was going to be a quick kill.  Due to a variety of different circumstances, I could never get from point A to point B in a single shot.  In the end, I wound up combining a few different pieces in order to get that initial shell.

From a web browser, we take a look at the site: