Still, the script works pretty well, at least to get a foothold:Ĭ:\>netstat -ano | findstr TCP | findstr ":0" netstat -ano | findstr TCP | findstr ":0" It uses print "string" syntax, so it must be legacy Python. I took a look at the script, and it looks like it bypasses filters to upload a webshell, and then runs an infinite loop getting commands from the user, submitting them to the webshell, parsing the results, and printing them. I’ll grab a copy of the exploit using searchploit -m php/webapps/48506.py (and I like to rename it something more descriptive, like gym_management_rce.py).
#Cloudme sync walkthough code
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
At number 18 is Gym Management System, which fits the name of this searchsploit gym management Visiting that page lists tons of projects in PHP (and other languages), some free, others paid. There were two ways I could think of to find it without seeing it explicitly, and the third way below is the intended path (which is simply reading, but I’ll include the other two as potentially interesting):ġ) On all the pages, there’s a copyright and/or link to Projectworlds.in.
#Cloudme sync walkthough software
When I first solved, I couldn’t find the name of the software displayed on the site (I was blind). Eventually I realized that given the sheer number of pages, and given things like a license page, this is likely not a custom site for HTB, but some software package. I actually went down a rabbit hole chasing through these things, but there’s a ton of pages.
I’ll run gobuster against the site, and include -x php since I know the site is gobuster dir -u -w /usr/share/wordlists/dirbuster/ -x php -t 40 -o scans/gobuster-root-small-phpīy OJ Reeves & Christian Mehlmauer Url:
There are several links to go to Gym information, but nothing interactive except for the login, which didn’t seem vulnerable to SQLI. This is a Windows host running Apache with PHP, so I don’t get much more information about the OS. Nmap done: 1 IP address (1 host up) scanned in 84.37 seconds | http-open-proxy: Potentially OPEN proxy.
0 kommentar(er)
