1. Privilege Escalation And Misconfigurations

2. Nothing but a login

3. Links to javascript files in the HTML <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-init.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-writevb.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-main.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-swap.js &quot;></SCRIPT>

4. Grab the source of the javascript files

5. Analyze the source for anything interesting

6. Found admin URL’s

10. Back at the login

11. Let’s see if our login exists

12. Welcome user SPIDynamics

14. Returns an Error

20. Feels good to be an admin

21. Where is the main admin page?

24. Success

25. Maybe Not.

26. Start Guessing

28. Success – About Time