✅TryHackMe - CMesS (Medium)
Last updated
Last updated
Subdomain fuzzing with Wfuzz finds a hidden domain dev.cmess.htb. This domain hosts a static page that leaks CMS admin panel credential. In the admin panel, there is an upload form where we can upload php-reverse-shell.php and catch a reverse shell as www-data.
On the victim machine, there is a backup file that leaks the user Andre's password. At this stage we can SSH in as Andre and get a user shell.
In the privilege escalation phase, we find a "cron wildcard" vulnerability and get a root shell with tar injection.
RHOST: 10.10.39.82
LHOST: 10.13.12.2
Fuzz directory using Gobuster:
Gobuster finds a directory /admin:
The directory /admin has a login form, but we don't know the credential yet:
Fuzz subdomain using Wfuzz:
Wfuzz finds dev.cmess.thm:
Update /etc/hosts:
http://dev.cmess.thm has a development log. Through the convention between Andre and the support, we can learn his credential andre@cmess.thm:KPFTN_f2yxe%:
Use this credential for admin panel login and now we have access to the admin panel:
Go to "Content => File Manager" and we find an upload form:
Upload php-reverse-shell.php. It turns out that the uploaded files are stored in /assets:
Start a pwncat listener:
Trigger the reverse shell payload at http://cmess.thm/assets/php-reverse-shell.php and catch a reverse shell as www-data:
LinPEAS finds a readable backup file /opt/.password.bak:
This file contains Andre's password:
SSH in using the credential andre:UQfsdCB7aAP6 and now we get a user shell:
Examine crontab:
This falls into the "cron wildcard" scenario. To learn more, read my note:
Prepare a payload:
Wait 2 minutes for the cronjob to run the payload script and then spawn a root shell:
Now we have a root shell:
