Press （Intermediate, Linux, 2023）-- Flatpress 1.2.1

[WDavid404]

Keypoints:

• Flatpress 1.2.1 - File upload bypass to RCE Vulnerebility
• [PE] apt-get

[WDavid404]

PORT      STATE    SERVICE        REASON         VERSION
22/tcp    open     ssh            syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp    open     http           syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
8089/tcp  open     http           syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
|_http-generator: FlatPress fp-1.2.1
|_http-server-header: Apache/2.4.56 (Debian)

80/tcp ---> Design: TemplateMo

8089/tcp --> FlatPress Search exploit info about FlatPress -->

• FlatPress v1.3 - Remote Command Execution
• Flatpress 1.2.1 - File upload bypass to RCE Vulnerebility

In the source code of http://192.168.221.29:8089/index.php/2023/06/17/welcome-to-flatpress/ --> Flatpress 1.2.1

But, to use exploits, we need to have username and password. Try admin:password on /admin.php ---> succeed!

Based on the instruction info on the exploit Flatpress 1.2.1 - File upload bypass to RCE Vulnerebility We got a reverse shell successfully.

sudo -l --> Refer to https://gtfobins.github.io/gtfobins/apt-get/ -->