Ping
Nmap Scans
mapit 10.10.10.88
Nmap Default Scan
Nmap Service and Script Scan
Nmap All Port Scan
Gobuster Scan
gobuster dir -u http://10.10.10.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt
On Port 80
On http://10.10.10.88/robots.txt
Got some http://10.10.10.88/webservices/monstra-3.0.4/
Only this /webservices/monstra-3.0.4/ worked, all other entries doesn’t exist
Will try to login, I have Just clicked the logged in
It get me to admin login panel http://10.10.10.88/webservices/monstra-3.0.4/admin/index.php?id=dashboard
Also I have searched public exploit for Monstra 3.0.4, there are some RCE exploit for monstra, but all exploits are authenticated, so we need password to do successful exploit
Will try to login with default password like admin:admin
It worked…!
After a lot of try, I can’t progress, when i ran feroxbuster I can see wp
On http://10.10.10.88/webservices/wp/
So will run wpscan
wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive
This will take an hour
Found gwolle-gb has running vulnerable version
Will Jump to Initial Foothold…!
I found a github repo, the user automated this process, We have to keep wp-load.php(our reverse shell script) hosted in the python web server , Link:https://github.com/igruntplay/exploit-CVE-2015-8351/blob/main/exploit.py
It has been taken
Got Reverse Shell
Let’s Check Our Privilege
sudo -l
But we can’t run this as www-data, we have to get access to Onuma.
I have used this command from GTFO bin, with small modification
sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
I got Shell as Onuma
Will get user.txt
Will Jump to Privilege Escalation…!
I have just Done it using PwnKit, Because the system is running vulnerable version of Pkexec 0.105
Got root.txt
