found directory /tiny from go buster

File manager access success! Default creds admin/admin@123

Found a vuln based on the version number in the bottom right. You can also get it from the source of the login page!


The vuln has to be authenticated. There are two ways I can go about this.
One is I (think) I can use the file upload capability to upload a malicious script. Alternatively I can use the RCE to send me a shell.
I end up opting for uploading a reverse shell as the script seemed to have multiple syntactical errors I couldn’t get around.
Uploaded to /tiny/uploads, started a listerner, and


SSH

SUID check, bit set on doas


We can run dstat as root! We need to find where we can save dstat files. Dstat allows the creation and usage of python plugins. We can exploit this by creating a malicious plugin for python that will send us a reverse shell.

