tiki

Cve that can bypass the admin password and login as admin with blank password , user sikly can run anything as root without password which gave us log into root user

nmap

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA)
|   256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA)
|_  256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/tiki/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 19s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-02T09:09:39
|_  start_date: N/A

Enumeration

smbEnumeration

smbclient \\\\10.0.2.59\\notes
Enter WORKGROUP\kali password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 29 09:52:09 2020
  ..                                  D        0  Thu Jul 30 15:32:11 2020
  Mail.txt                            N      244  Wed Jul 29 09:52:05 2020

		19992176 blocks of size 1024. 9393876 blocks available
smb: \> 

cat mail.txt

Hi Silky
because of a current Breach we had to change all Passwords,
please note that it was a 0day, we don't know how he made it.

Your new CMS-password is now 51lky571k1, 
please investigate how he made it into our Admin Panel.

Cheers Boss

silky:51lky571k1

webEnumeration

this version has bypassing the admin with blankpassword with bruteforcing

now wefound the user sikly creds for ssh login

silky:Agy8Y7SPJNXQzqA

privilageEsclation