found directory /tiny from go buster

Description of image

File manager access success! Default creds admin/admin@123

Description of image

Found a vuln based on the version number in the bottom right. You can also get it from the source of the login page!

Description of image

Description of image

The vuln has to be authenticated. There are two ways I can go about this.

One is I (think) I can use the file upload capability to upload a malicious script. Alternatively I can use the RCE to send me a shell.

I end up opting for uploading a reverse shell as the script seemed to have multiple syntactical errors I couldn’t get around.

Uploaded to /tiny/uploads, started a listerner, and

Description of image

Description of image

Link

SSH

Description of image

SUID check, bit set on doas

Description of image

Description of image

We can run dstat as root! We need to find where we can save dstat files. Dstat allows the creation and usage of python plugins. We can exploit this by creating a malicious plugin for python that will send us a reverse shell.

Description of image

Description of image