nmap -p- -T4 -vv -sV 192.168.219.147
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4 (protocol 2.0)
17445/tcp open unknown
30455/tcp open http nginx 1.18.0
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
2-PORT 50080
Doing a directory search with the Gobuster tool we found the directory /cloud on port 50080, where we get a login:
Trying admin/admin we manage to log in, and we see that there is a file that catches our attention called issuetracker.zip:
We download it and when we unzip it we see that it is the source code for the port 17445 website:
Web in port 17445
3-Vuln SQL
Doing some research we found a file called IssueController.java in which there is a SQL vulnerability:
IssueController.java
If we go to the page we will be redirected to the login page, so after logging in we will see the following:
Web ERROR
This means that the method we are using is not the correct one, so we are going to capture the request with BurpSuite and change it to POST:
As we can see we get a 302 error, this is because to perform the SQL injection we have to add the priority parameter and it will take 5 seconds to reload the page:
Exploitin SQLi
Now we can make a web shell, the only thing we need to know is the path to the server, we can know this because on port 30455 there is a phpinfo.php file that we found with go buster:
Now that we know which one it is, we just need to create the web shell:
4-Web Shell
We can now execute commands:
The next step is to generate a reverse shell, we will use the one in the route
