Monsieur Candie
Nmap Result
Directory Fuzzing shows /doc page. only XML feature works according to dev.
/XML shows a sample xml request which further helps craft our exploit
As seen below, We are also able to read the /etc/shadow file which contain users password hash. the root hash was also successfully cracked with hash cat.
Shell...
Privilege Escalation
Using PSPY, we can see a bash script "SrvMantainance.sh" file that's periodically run
File is writable and Reverse shell payload inserted there was executed