https certificte:
common name - localhost.localdomain
email - root@localhost.localdomain
nmap:
port 22 OpenSSH 8.0 (protocol 2.0); centos
port 80 Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
port 443 commonName=localhost.localdomain
intercepting request on port 80, the default page responds with a domain -> office.paper
users : jan, nick, michael,
bottom of the screen says powered by wordpress. running wordpress with api-token, tells us many vulnerability, one of them was WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
in this if we add ?static=1, we are able to get some secret ->
the secret ->
test
Micheal please remove the secret from drafts for gods sake!
Hello employees of Blunder Tiffin,
Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
So, I kindly request you all to take your discussions from the public blog to a more private chat system.
-Nick
# Warning for Michael
Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
Threat Level Midnight
A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT
[INT:DAY]
Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….
# Secret Registration URL of new Employee chat system
http://chat.office.paper/register/8qozr226AhkCHZdyY
# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
# Also, stop looking at my drafts. Jeez!
after registering with the secret url, i saw a bot, which executes command, like ls and cat. i found a .env file and got password for delight user.
recyclops : Queenofblad3s!23
running linpeas found the server is vulnerable to CVE 2021-3566
run the script -> https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation/blob/main/poc.sh
script may fail u have to run it many times and it will eventually work.
secnigma:secnigmaftw
sudo su;