Foothold
1. Fuzz to get vhost
2. Fuzz vhost to get .git
3. Dump the .git directory with git-dumper
4. Find the password with grep -rne "password\s*=
5. git log to see the version of GhostCMS that vulnerable
6. Exploit the CVE to get LFI
7. LFI to read /var/lib/ghost/config.production.json to get credentials for SSH
2. Fuzz vhost to get .git
3. Dump the .git directory with git-dumper
4. Find the password with grep -rne "password\s*=
5. git log to see the version of GhostCMS that vulnerable
6. Exploit the CVE to get LFI
7. LFI to read /var/lib/ghost/config.production.json to get credentials for SSH
PrivEsc
1. sudo -l to find out the command you can run
2. The script checks if the link file points to root or etc
3. Create a nested link file so that a.png -> b.png -> /root/root.txt
4. Export the environment variable export CHECK_CONTENT=true
5. sudo /usr/bin/bash /opt/ghost/clean_symlink.sh b.png c.png
2. The script checks if the link file points to root or etc
3. Create a nested link file so that a.png -> b.png -> /root/root.txt
4. Export the environment variable export CHECK_CONTENT=true
5. sudo /usr/bin/bash /opt/ghost/clean_symlink.sh b.png c.png