search
githubEdit

Ghost CMS

Headless CMS (Node.js). Often detected as "Ghost" + version in Wappalyzer/nuclei (e.g. Ghost 5.58). Admin panel: /ghost/#/signin.

No default credentials — the initial admin is created during setup at first access.

hashtag
Discovery

  • Footer: "Powered by Ghost"

  • Admin: http://TARGET/ghost/#/signin

  • Nuclei: nuclei -u http://TARGET -rl 13 -c 12 -as can detect ghost-panel, metatag-cms (version), and CVE-2022-41697.

  • VHost enum: ffuf with -H "Host: FUZZ.target.htb" and -fs SIZE (baseline size) to find subdomains like dev.

hashtag
CVE-2022-41697 (user enum / auth bypass)

Affects Ghost admin API session endpoint. Use Content-Type: application/json or the request may not be handled as expected.

  • Endpoint: POST /ghost/api/admin/session with JSON body {"username":"email@target","password":"..."}.

  • Nuclei template: [CVE-2022-41697] [http] [medium] http://TARGET/ghost/api/admin/session.

  • Reference: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1625

User enumeration (e.g. with ffuf) can be done by fuzzing the username/email and filtering on response (e.g. -fr "Authorization failed" or -fc 403). Using a request file is often easier: save the POST request from Burp with FUZZ in the email, then:

ffuf -request users.req --request-proto http -w /usr/share/seclists/Usernames/Names/names.txt -fc 403

hashtag
Authenticated file read (LFI)

With valid admin credentials, some exploits provide an interactive file-read shell (e.g. via Ghost API or theme/settings abuse):

Config path (production): /var/lib/ghost/config.production.json. Contains url, server.port, database, and often mail with SMTP credentials (auth.user, auth.pass) that may be reused for SSH or other services.

hashtag
Exposed .git on subdomain

If a subdomain (e.g. dev.TARGET) serves the app from a directory with exposed .git, you can try to recover the repo:

  • feroxbuster: feroxbuster -u http://dev.TARGET -E -g -w common.txt — look for /.git (301 → /.git/).

  • Dump .git: git-dumperarrow-up-right (Python) often works when other tools fail:

  • Staged changes / secrets: After cloning or extracting, check staged diff for hardcoded credentials:

    (Without --cached, only unstaged changes are shown.) Test files or config in the repo may contain passwords.

hashtag
Typical path to shell

  1. Enumerate vhosts (ffuf -fs), find e.g. dev.

  2. Find exposed .git on dev, dump with git-dumper, run git diff --cached for credentials.

  3. Or exploit CVE-2022-41697 / brute force Ghost admin.

  4. Log in to Ghost, use file-read (e.g. ghost_fileread.py) to read config.production.json and obtain mail or other creds.

  5. Reuse creds for SSH or next service.

PreviousCamaleon CMSNextpersistence

Last updated