CMesS

in Blog

First I added the IP to hosts as cmess.thm as instructed on the page.

Enumeration

nmap

3059277c5086f99b0eaf1da61fcaa1f6.png

Looks like it’s running http, time to enumerate with gobuster while I look around the website.

Website

c05129e01ccdb330974f0061b116596a.png

While looking around the site I found it runs Gila CMS. Looks like there’s an RCE exploit on searchsploit for version 2.0.0

Gobuster found a page at /login so I’ll check that out. Doesn’t seem to be anything to find here as it sends an email to reset rather than being a form of some kind.

Exploit

Let’s look into the exploit found with searchsploit.

I mirror the exploit to look through how it works.

7f56a2b817b07ac51ceed234210b6bc9.png

It looks like it takes a command and runs it by using php and setting a session ID cookie. I’ll modify the command to spawn a remote shell and edit the target to point to the site.

I start a netcat listener on port 9876.

Ran the exploit and got nothing, maybe not the right thing here. Back to enumeration.

subdomain

Running wfuzz I get loads of results because I haven’t filtered anything. It looks like the default result is 290 words so I filter that out of my second attempt.

a5fca8347fbc1b0ad113b42ee4725707.png

I find the subdomain dev and add it to hosts to look at it.

dev log page

Found a dev log with a password in the plaintext.

0b9bd1459d0cb061f5e9ce26bd41374d.png

admin panel

Logged into the admin panel as andre, using the password found in the dev log.

b19dffba35c7629e1f3ff6ec7b8ca307.png

Found a file manager, going to try to upload a reverse shell script.

ef6234b2f42df1fbfb3dfc487f212689.png

Looks like it appeared in the assets folder.

f9a1ece6cc37ff55b0e0a5414a61b851.png

Starting a new netcat listener on 9875 and navigating to the assets/rev.php page.

Shell

We have a shell!

26c366c3142d2ec7a88c4aa21f1d7dcc.png

Upgrading shell with python.

c8ab7e6901090c2c03b1d708da9f27ca.png

Can’t find user.txt with find. Maybe not visisble to www-data.

find / -perm /4000 -type f -exec ls -ld {} ; 2>/dev/null Doesn’t find anything interesting.

/etc/crontab contains an interesting backup job. We can’t get into Andre’s folder at the moment so might be useful later.

56fd6f1ec720e540d7f88b7ebd879043.png

Time to use linpeas

linpeas

First we upload it by changing to /tmp on the server, starting a python http server in our exploits directory and grabbing the file with wget. Then we chmod +x the file and run it.

Some interesting writable files found.

72d758e108dd9fd462c87c710d76be42.png

Contents of /opt/.password.bak

andres backup password
********

Switching to Andre’s account

su andre with the password in the /opt/.password.bak file worked for switching user.

We found user.txt in Andre’s home directory. Time to look at if we can exploit that backup job we found earlier.

Having exploited these before I have a note in my exploits folder containing the following commands:

fce6804a39f3e269dfb5039d9708c5d1.png

We first start a netcat listener on 9876 and then run these commands in /home/andre/backup then just wait for the connection.

We get a connection and check id, we have root!

627bc613339dbcc1afa02c1a587d2db1.png

Room complete, this was a satisfying one as I didn’t have to look for any help as I had exploited tar backup cronjobs previously.