Start by scanning the host with “nmap -A -T4 -p- 192.168.1.17 -vv”
Now run “dirb http://192.168.1.17 /usr/share/dirb/worlist/big.txt
We get some interesting results but I’m interested in http://192.168.1.17/tiki/tiki-index.php as we can login from there, but first we need a username and a password.
I ran some tests like searching for exploits on tikiwiki using “Searchsploit” and ran “nikto” but nothing interesting came up, so now it’s time to run “enum4linux” as port 139 and 445 are open:
Now we got something, there is “Notes” shared where we can access it:
Using “smbclient \\\\192.168.1.17\\Notes” we can access the shared drive without any password, we can see there is a file “Mail.txt” and we can download it with “get Mail.txt” and view it on our machine.
We got a username “Silky” and password “51lky571k1” and we can use it to login to the tikiwiki panel:
Now in the panel can’t find anything useful to exploit or to upload some kind of reverse shell till i found this page with a massage:
So, what i did is searched online for the latest CVE for tikiwiki and found this exploit:
Downloaded the exploit and ran it:
And i got this output:
The password for the admin is removed and i can login into admin without a password using BurpSuite, so let’s start BurpSuite:
This is the output from BurpSuite login page, then send the result to “Repeater” and remove the password and click send:
Now click refresh on the page or return and we logged in as admin:
I kept looking for a way to upload a file as reverse shell but no use, so at last i found this page where there is a credentials for the user “silky”:
silky:Agy8Y7SPJNXQzqA
I can now ssh with it:
Right after we log in, we can see that the user “silky” can run “sudo” without any password at all, so we “sudo su” and become root and catch the flag:
