My CMSMS: 1 Walkthrough

(Updated: )
reference My CMSMS: 1
target ip 192.168.1.19

Scan with nmap:

Scan with nmap ssh-auth-methods:

Try MySQL password with hydra:

Login into MySQL, enumerate cmsms_db.cms_users:

Update the password instead of cracking.

This sql is from this thread.

Login into CMS Made Simple.

Upload reverse shell by renaming from php to phtml:

Request http://192.168.1.19/uploads/images/rs.phtml to get a reverse shell.

Escalate from user www-data to user root.

Readable /var/backups/shadow.bak:

unshadow, then crack with john:

/root/proof.txt:

  • /home/armour/binary.sh