Nmap Results →

So first i did a basic nmap scan to see what ports are open and stuff and i found the only ports open are 22 and 80.

Nmap scan report for 10.10.241.98
Host is up (0.049s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).

Directory Busting →

Next we do directory busting because when we go to the page we see default apache page so maybe the real content is hidden behind or something so lets use dirbuster or gobuster and here i use the dirbuster medium wordlist you can also use the small one from dirbuster but after we do we find some intresting files :

Directories found during testing:

Dirs found with a 200 response:

/
/content/
/content/images/
/content/js/
/content/inc/
/content/inc/cache/
/content/inc/font/
/content/inc/lang/
/content/inc/mysql_backup/
/content/as/
/content/as/js/
/content/_themes/
/content/_themes/default/
/content/_themes/default/css/
/content/attachment/
/content/as/lib/

so here we find two intresting directories namely the content one and the as one. So the content one leads us to a page which says that please come late the site is still in construction.But when we go to content/as we find out a login page which lets just note down as of now because its very important for later and we also see a directory called mysql_backup which is very intresting and good for us so lets go there and see whats in there when we go mysql_backup file we see that there are logs from Mysql and if you scroll to the middle we can see that there are even credentials hidden the credentials i found are -

manager and the hash 42f749ade7f9e195bf475f37a44cafcb now lets take this hash to crackstation and try to crack it and see what we get so i cracked it was a MD5 hash which was super easy to crack.Now that we have the credentials lets go to content/as login page again and enter the credentials we just now lets look at the some exploits for sweetrice CMS you can google it or use searchsploit so when we do some reasearch we find out that that if we go to ads section we can upload some php code and code in general and then access the uploaded code by going to content/ads etc and now we will take advantage of this vulnerability and get access to a shell .

For this we will need a php reverse shell which you can find over here.