nmap scan: nmap -T4 -A 10.10.241.239
Shows a bunch of random ports, but I think the main point of interest in port 80. Let’s take a look at it.
First off, I tried to navigate to the access file, but was met with this:
There is overall a lot of information here on the CMS, let’s keep reading as we try and do a directory bust. Let’s try using gobuster: gobuster dir -u [<http://10.10.241.239>](<http://10.10.241.239/>) -w /usr/share/wordlists/dirb/common.txt
While I kept on reading, I found the following information:
So why don’t we try that, maybe if the CMS starter was still here it could mean that the developer did not actually change the password.
And we are in!
In the Assets tab there is a file upload feature. Let’s try to upload a PHP reverse shell if possible.
Oh, we got denied. Good from them to be on point, at least for now.
If we run searchsploit fuel, we get some valuable information: