Sometimes it is in front of your 👀 Blunder
nmap -sC -sT -sV 10.10.10.191
(Script Scan, TCP Connect Scan, and Service Version Detection) to find the services on this machine. There is the only
sCUsed the default script that provides by Nmap.
sTTCP full scan, this is the case when a user does not have raw packet privileges.
sVDetermined the version to find CVE.
The web page
I decided to use
DirBuster to enumerate directories.
There is the result. I interested in
/admin. I found the way to gain access.
I searched the GitHub for brute force the password of
“-Inform fergus that the new blog needs images — PENDING”). The username is
Bludit is a web application to build your own website or blog in seconds, it’s completely free and open-source. Markdown support.
You need to modify the
Python code to support your
wordlists.txt until you got the password.
cewl — Custom wordlist generator
After you get the correct password, next is finding the additional information there is CVE or not.
CVE-2019–16113 Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because
PHP code can insert with a
.jpg file name, and then this
PHP code can write other
PHP code to a
../ pathname. I decided to use
Metasploit for CVE vulnerability.
CVE - CVE-2019-16113
CVE® is a list of records - each containing an identification number, a description, and at least one public reference…
target IP then exploit.
Enumeration with user privilege
After I got a shell (
www-data), I tried to find a user password to gain a user shell.
I found the password that kept in
users.php in hash form.
I cracked the password from the hash and got
I need to find the user who used the password (
Password120), then I went to
/home directory to find the user and got
shaun. I tried with
hugo and that it. Hugo used
Password120 as a password.
I wanted to use the
bash shell on
Python command as following. After that, I found the
sudo 1.8.27 — Security Bypass in exploit-db.com.
Offensive Security's Exploit Database Archive
Exploit Title : sudo 1.8.27 - Security Bypass # Date : 2019-10-15 # Original Author: Joe Vennix # Exploit Author …
Sudo does not check for the existence of the specified user id and executes the with arbitrary user id with the
sudo -u#-1 /bin/bash
to become root
If my write-up is useful for you, would you mind buying me a coffee?