😵THM CMesS

Introduction

Please add IP_MACHINE cmess.thm to /etc/hosts

Please also note that this box does not require brute forcing!

Step -1 Enumerate

As mentioned earlier, let put this machine into our hosts. After that, let scan any open port for this machine.

The result show that 2 port are open and inside robots.txt have 3 different directories.

On landing page this machine, it appear to have Gila CMS and nothing much interesting.

Let start searching for any directory using gobuster and my testing tool (linkfinder).

We can see huge of finding. Unfortunately, all listing directory in robot.txt cannot be accessed. We are stuck here. Let abuse subdomain to see any interest part since we can’t brute force login page.

After a while, we manage to figure one subdomain. Let put into our host.

Step 2 – Gaining Access

This page show the conversation between user and assuming as their support team. From this page, manage to get valuable credential and let use that credential to our login page.

We know their credentials clearly.

BOOM!! We manage to get as admin here. Since this Gila CMS using version 1.10.9. Let find any exploitation on it.

Step 3 – Exploitation

From this POC, we know that we can do Local File Intrusion (LFI). Let navigate to /etc/hosts/

We manage to exploit LFI in this website and the most interesting part is, we can upload our file. Other method, we can change config.php file into revershell.

Change config.php (Dangerous action)

Copy the shell and replace in config.php. Why dangerous, mostly config.php happen to have lot of credential and most importing stuff that handle the website. Once attacker manage to change this file, the machine already in big dangerous.

Refresh the page. And see our listening. I will stop here since I use another method.

Upload Arbitrary file

As usual, I will use revshell to create my arbitrary file. Once downloaded, let run the file that been store in assets. Before that, always make sure listening are open.

Step 4 – User Access

We manage to get as www-data. Next let make raw shell become stable shell. Once ready, let see what we can do. Navigate to home directory, we found one user which andre. But we can’t access this account.

From here, I use skill learned from past boot2root bootcamp. Since I doesn’t like to use linpeas for some reason. I will use horizontal. Start with SUID binary but it happen to show nothing interest. Let focus on finding any possible of password.

find / -name "*password*" -perm -u+r 2> /dev/null

One of this directories caught my eyes. Let see what inside.

We found backup password for andre?? WHAT!!! .Let try it and here we get user.flag.

Step 5 – Privilege Escalation

To get more stable, let change into ssh. As usual, I will check sudo permission for this user.

Unfortunately, their system administrator manage to block all sudo permission that can be cause to gaining root.

Next, I will check their crontab, here I can see interesting information where every 2 minute, it will automatically backup andre folder.

That mean, we can exploit root using tar. Before that, we have to create shell inside backups and give checkpoint to it.

I do mistakenly put my shell in andre directory not into their backup. Once done fix everything, let wait for 2 minute for automation task being run.

We manage to gain root and root flag .Thank for reading.

Learning

1. Another exercise using tar exploitation

2. Gila CMS

3. LFI