$ nmap -p- --min-rate 3000 192.168.175.41
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 20:19 +08
Nmap scan report for 192.168.175.41
Host is up (0.17s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
3306/tcp open mysql
Of all things, Telnet is open.
Web Enum -> ZenPhoto RCE
Port 80 just shows this:
A gobuster scan reveals the following directories:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.175.41/ -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.175.41/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/07/01 20:22:15 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 75]
/test (Status: 301) [Size: 315] [--> http://192.168.175.41/test/]
Visiting /test reveals a ZenPhoto instance:
Viewing the page source reveals the version of ZenPhoto that is running:
There are RCE exploits available for this instance:
