TryHackMe: CMesS

[Enumeration]

  1. Add IP in /etc/hosts

2. Access site nothing much.

3. Port scan

There’re 2 ports: 22 and 80.

4. OS and service scan

There’s robots.txt

Access it. There’re 3 disallowed entry.

Access all of them. Forbidden!!!

5. Vuln scan

There’s “admin” folder.

6. Directory scan

7. Access “/admin”

[Exploitation]

  1. Find credential of Gila CMS

I cannot find any default credential let’s guess with:

I need an email.

2. Search for subdomains
Since I try to access all directories on the site. There’ s nothing more. I will try to search for subdomains instead.

Add sub-domain in “/etc/hosts”

Access it. There’re 2 users: andre@cmess.thm with password “KPFTN_f2yxe%”, and support@cmess.thm.

3. Try to login with credential.

Back to http://cmess.thm/admin

It’s version 1.10.9

4. Search for exploits

There’s LFI.

Read it.

Following the guide I typed:

Failed!!! But I’m redirected to file manager instead. I may use it to upload reverse shell.

5. Prepare php reverse shell.

Upload it and the file will be stored in /assets

Prepare listener on port 1234

Access the file in /assets:

Back to listener, now I have a shell.

[Privilege Escalation]

  1. Let’s explore the machine.

Permission denied.

There’s a hidden file.

2. Login as andre

From login banner, this machine is 64-bit.

3. Find user.txt

4. Escalation to root

Upload lse.sh to machine

Prepare HTTP Server

Download it

Change permission

Run it

Noting much, only there’re 2 users with shell: root and andre

Seems like I have to run with password

The result isn’t different. I have to do the manual enum.

Check /etc/passwd permission

Check /etc/shadow permission

Check SUID and SGID.

Check cron

With the wildcard (*), I can inject reverse shell to this command.

Create reverse shell.

Download it to victim machine.

Prepare listener on port 1235

let’s inject the command

Lookin GTFObins, I have to add checkpoint.

After waiting for 2 mins I don’t have any shell. I have to try another way.

Delete former command

Create new reverse shell command.

Reference:

Wait about 2 mins. Now I have a shell.

Verify user

I’m root.

Read root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store