CMesS
https://tryhackme.com/room/cmess
Nmap
Add cmess.thm to /etc/hosts
Root page for http://cmess.thm takes us to the following for Gila CMS.
I was unable to accurately determine the version so tried a few of the available exploits and was unsuccessful in making any progress. Further directory enumeration did not provided any further results of value.
From here I attempted sub domain brute forcing with wfuzz
to help identify any other avenues of exploitation.
This showed that the 'dev' subdomain is valid.
add the dev.cmess.thm domain to /etc/hosts.
Browsing to http://dev.cmess.thm shows the following page which contains user credentials:
Moving over to http://cmess.thm/admin/ we are then able to login as the user.
Moving over to the /fm/ directory we have some files we can view and edit the contents of. The contents of config.default.php contain some important credentials. root:r0otus3rpassw0rd
For a reverse shell I replaced the contents of config.php with a PHP reverse shell.
After saving changes I then browsed to http://cmess.thm/index.php and was able to receive a shell on my netcat
listener.
After performing some manual enumeration we find a .password.bak file in the /opt/ directory containing the password for andres.
Which can be used to login over SSH.
The home directory for andres has a directory called backup. Reading the note contained within informs us anything inside it will be backed up.
Assuming a process is being executed on a regular interval we can run psp64 (downloaded from our attacking machine) to identify processes being run.
We can see our pspy64 file has already been backed up. Directly underneath we can see the command being executed.
As the tar command ends in a wild card we can perform injection to grab a root shell. This is covered in greater details here: https://www.exploit-db.com/papers/33930.
Essentially when the tar command runs we can specify a checkpoint and a action to be performed by that checkpoint. As the process is being executed by root this leads to privilege escalation.
I first confirmed nc
was installed on the target machine using which nc
. I then used msfvenom to create a netcat
payload.
I then run the following commands inside the backup directory ensuring the msfvenom payload is included. After this has completed set a netcat
listener on the attacking machine.
Soon after the backup job will run again and we will land a root shell.
Last updated