First Step:

Reconnaissance:

In this step we find as much info as we can from the target to work our attacks around and successfully gain initial access.

our handy tool to start with is nmap which helps for scanning for entry points and checks for open ports!

We use the command as follows:

nmap -sC -sV 192.168.230.76 -oA IntitialScan.txt — min-rtt-timeout 5 -v

-sC Default Scripts
-sV Enumerate Version
-oA Output all formats

-v Verbose

Through our scans we find these ports open:

22 for SSH
80 for HTTP
139 for SAMBA-netbios-ssn
445 for SAMBA
8000 for HTTP Server running apache and Koken CMS which is and as we noticed has this version 0.22.24

after enumerating more and in specific on port 8000

so as follows :

In this image it shows that we found an admin panel for Koken, when using searchsploit we find that there is an exploit for this CMS:

As the image shown above, I found 2 emails which are [email protected] and [email protected] with the babygirl as the password.

lets try it below to see if we get authenticated!

As the PoC states and it’s simple as follows :

‘’After you are logged in to Koken CMS Admin Panel, select the “Import Content” option

As a proof of concept, I created a PHP file with the function phpinfo() and saved it with a double extension (image.php.jpg)

I selected the image.php.jpg file and forwarded the request to Burp’’

and while we do that we have our netcat listening :

& there we go we got a shell :