Brandy

nmap Scan Result

Brute-forcing directories, the below vhost which was added to the /etc/hosts file was found.

/master page hints to potential username (and password).. "rick" worked for both password and username for the Dolibarr login page

Foothold

Installed version of Dolibarr is vulnerable to Authenticated RCE. luckily a working exploit was found in searchsploit

Privilege Escalation

The netstat output shows port 25 (SMTP) running locally.

Checking the installed version of running SMTP service. it oberverd that the version 6.6.1p1 has a publicly known privilege escalation vulnerability (https://www.exploit-db.com/exploits/48051)

Extras

Dolibarr config file conataining mysql password