Monsieur Candie

Nmap Result

Directory Fuzzing shows /doc page. only XML feature works according to dev.

/XML shows a sample xml request which further helps craft our exploit

As seen below, We are also able to read the /etc/shadow file which contain users password hash. the root hash was also successfully cracked with hash cat.

Shell...

Privilege Escalation

Using PSPY, we can see a bash script "SrvMantainance.sh" file that's periodically run

File is writable and Reverse shell payload inserted there was executed