Surveillance
My note about Surveillance machine
Last updated
My note about Surveillance machine
Last updated
Enumeration :
Add domain and ip to host ( domain : http://surveillance.htb/) to access the web at port 80
Scanning the subdomain :
Found the login page
It related to Craft cms in here , search around on google an i found this CVE related to it : https://gist.github.com/gmh5225/8fad5f02c2cf0334249614eb80cbf4ce
Because upload_tmp_dir return "no value" so change it to "no value" and run the exlpoit :
Okay got the foothold now looking around to get the user access :
Looking around and found the hash password for matthew in backup sql file , crack it and got the user
netstat to check the port open might help :
Port 8080 is open try connect again forward port : ( localhost : 127.0.0.1)
Access Web page :
Searching around with Zone Minder CVE : https://sploitus.com/exploit?id=1337DAY-ID-39149
Using Metaploit to attack this user :
Exploit zmupdate.pl : ( /usr/bin/zmupdate.pl)
Create a file to exploit :
Run as zone minder :
sudo /usr/bin/zmupdate.pl --version=1.1.1 --user='$(/tmp/pe.sh)' --pass=ANYPASSWORD
Now file bash2 can access the root :
