Enumeration

Nmap

Initial Nmap scan revealed HTTP, SSH ports were open.

00 - nmap

Web Enumeration

Website was CodoForum website.

01 - web codo logic

At first I brute forced to find versioning metafiles and found Readme.md file. It showed 5.2 as seen in the image.

02 - README

03 - version

Then I found admin endpoint and tried admin:admin and it also worked. I logged in as admin and found that the version is actually 5.1 and will be updated to 5.2 as seen in images.

05 - admin admin login

06 - logged in - version

Exploitation

CVE-2022-31854

Then I searched the version and found that this version is vulnerable to RCE via admin logo update. However, uploading php extensions were disallowed.

image

So I searched the website and found allowed extensions list and added php.

07- allowed upload types

Then I simply uploaded php shell and got a reverse shell.

08 - shell

09 - shell

Privilege Escalation

Config File

I tried some known methods such as sudo -l or SUID bits or kernel exploits and none of them worked. Then I started to search the web folders.

There was a config.php file inside the web directory.

11 - config

And it included a password.

12 - password

And I tried it with root, it worked. I got the root.

13 - flag

Note that, we can also run linpeas.sh and find that password directly.

10 - linpeas

12 - password 2

As seen in the image, linpeas directly greps the password.

<
Previous Post
Cockpit - Proving Grounds Practice
>
Next Post
Craft - Proving Grounds Practice