Plum

Nmap output

Nmap scan report for 192.168.239.28
Host is up (0.061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-favicon: Unknown favicon MD5: 2D58FC0104110AF4C9BE979DFD8FD83C
|_http-title: PluXml - Blog or CMS, XML powered !
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have PluXml on port 80

Trying admin : admin on admin page

Creds worked and we login as admin

Going to Static Pages

Editing and adding php reverse shell in the page

Opened the page

Got the reverse shell

Got local.txt (d543110567f6801f3bb1de3b9016d68e)

We have port 25 running internally

Checked /var/mail/ and got a mail and inside it we have root password

Used the password and got root

Got proof.txt (96f4058f523566fb9579febdc6123da0)