I feel like such a plank. So without giving too much away, im in the administration panel… i know in my mind I have to get something uploaded and then execute it. Ive enumerated the shit out of it (yet evidently not enough) and even found a flaw with the installation as ive downloaded the CMS offline. It exposes the usernames to unauthenticated users. Thats of little use here though. Monstra CMS 3.0.4 Unauthenticated User Credential Exposure – Simple Information Security Tutorials (CVE-2018-11480)
Ive been burping everything including the sub functions like creating pages, but feel i might be missing a trick. Its quite evident that its been developed dettached from the original CMS so a lot of the functionality is not as designed. Any suggested reading on web enumeration that could help?