Let’s kick it off with a port scan.
Checking the ports, there is an OS Commerce on port 8080. Accessing the catalog directory there is a messed up website. Time to do directory bruteforcing. I use gobuster for that task, and an “install” page pops up.
Checking that page I’m being able to install the OS Commerce. I used the following creds for the database:
Now i have to wait for the database to be imported. After DB import is done, I set the admin credentials. I chose admin:admin as user and pass.
We have access to the admin panel, now it’s the time to search for an exploit. Using searchsploit I find an Arbitrary File Upload vuln.
Let’s see what we need in order to upload a shell.
Upon testing, I made this simple PHP file in order to be uploaded. With this, I can issue commands to the OS.
Time to upload the shell!
Let’s access it, put the “cmd” parameter, and issue a command.
Seems we’re NT Authority (highest privileged account). To get a reverse shell I leveraged msfconsole web delivery module.
I copied the last line and pasted it in my web shell to get it executed. You’ll have to wait a little to get it executed, but there’s gonna be a success.
Now, by simply running hashdump you’ll dump the users hashes.