Port enumeration

Using nmap, I found 3 open ports, 22, 80 and 443. 0a8d0bdcbe9225b075899d0157efd6fd.png

Web enumeration

Inside the http server, I found a login page. 090da757fa670a5454f448252018b1fd.png I can log with the credentials admin:password. 3d0f0484c4e910a1ae2f6aeb24a1cf43.png Inside the page, I found what looks like a store. eebc0fb42d2a143d599adf8b83fdfd98.png Inside the code, they talk about a guy called Daniel. f2970e87d786c9aa571f77df27b4c19b.png After some enumeration, I found a formulary. 41a77f1bc7afb85c1b29660a5dc8f35c.png With caido, I see who this form is using XML, and looks vulnerable to XEE. 0c8b84751906fd3fa88d7b2518cd3e04.png

XEE

I confirm the vulnerability sending a request to nc. 372af3a79a268acc6027e75023eac4a3.png f9b26ddb1ac2940a41a9e07653f733e0.png And I also confirm who I can read local files. c5f1a0b5ffa92ebbc867163b9bd8c07c.png Including the user flag. 4e4600526b787c76c37ecc6975ec3fea.png Now, I decide to exfiltrate the process.php code. ec2c2182fe8a1a6d0fda77e93f918dac.png e5a42b46269474030b3efe8e149f317c.png Nothing interesting, but using the same technique I was able to exfiltrate a ssh key. 6c5027641a6f7375b692af0b805ebfcb.png 60402b9f0896e399ec75fedd7a4f15f6.png With this ssh key, I log as daniel using ssh. d01ed540deac87d28a4018c5dc7bd668.png

Privilege escalation

After some enumeration I found the file Log-Management. 999be55ad274a5a7d554034c1c487b2f.png Here, I found an script where I can write. 15b87b1577e60e421233a917d3e56b91.png So, I write a reverse shell in the script. f8ab0ea3af7f41ef8ad07a42d789becf.png And I wait for the admin user to execute his script, giving me a administrator shell. 9d007d9a537c580a56a5e3062e74ae55.png 7b10cd6878ef85bd165cb91d4f5418e1.png