mKingdom
Last updated
Last updated
Reconnaissance
I see that Port 85 work web service http://10.10.x.x:85/
I use gobuster to Fuzzing dir
i Found /app (Status: 301) [Size: 312] [--> http://10.10.112.62:85/app/
]
when scroll down i found login page and i use Wayyplazer found CMS Concrete => V8.5.2
There’s an existing RCE vulnerability in Concrete CMS 8.5.2.
when scroll in web site i found username "admin" in /blog
I tried to login with ‘admin
’ as username and random passwords, and to my surprise, ‘password
’ worked!
Initial Access
According to instructions, I navigated to System & Settings-> Allowed file types, and added ‘.php’ in the allowed file types.
Then I went to Files -> File Manager and uploaded a php reverse shell. I started a Netcat listener on my attacking machine. After uploading the shell, I accessed it from the link provided on the website.
I using reverse shell nc
in click URL to File
Priv Esc
To Upgrade the tty
i found DB.php
I logged in as toad. After a bit of looking around, I listed the current environment variables using ‘env’, and I found a PWD_token.
user : mario
pass : ikaTeNTANtES
But i don't cat the flag
i will move file to /tmp
I ran linpeas again as mario, and found that /etc/hosts is writable
curl mkingdom.thm:85/app/castle/application/counter.sh
I modified the /etc/hosts file to add my attacking machine IP and mkingdom.thm as the corresponding hostname. Then I created the folder path /app/castle/application on my attacking machine and placed counter.sh there with a reverse shell payload.
Exploit Used
Reverse shell (File Upload) File Upload code
Tools Used
Nmap
nc
gobuseter
linpeas.sh
i use Revers shell online
I will try Useing Best tool to look for Linux local privilege escalation vectors: