http [Initial-access]

Looking at page.

At port 80.

It says that it is under construction.

Looking at hidden directory at port 80.

I tried to scan the port 23.

It's not allowed.

Then I tried to see the hidden directory at port 23.

I didn't find any hidden directory at port 23.

Hidden Directory searching

After hint, I started enumerating for version.

In this, I found that there is an admin page hidden directory.

admin:admin credential didn't work here.

Trying XXS exploit

ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)Exploit Database

First i will save this file in my kali linux.

File extention is .txt , I should be .php as stated above. So, I will change it to .php extension.

I will start the python webserver.

Now I will craft the url according to my website.

Initial url

Final Url:

It ran and loaded the page.

But didn't work.

Trying RCE exploit.

When i visited belwo directory and seen source code, I found that there is version number mentioned.

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database

Using this exploit.

Now I will run the exploit.

After reading the exploit, It is clear that we need to pass /test/ Directory to complete the URL.

So, My Exploit code will be as shown below:

Great!! I got the shell as www-data user.

Stabalize the shell

Then run the bash shell command below:

Enable tty.