THM - CMesS
IP - 10.10.255.20
This is a medium level room on THM by Optional, it starts with bruteforcing subdomains to find a
dev domain, where we find creds of the Gila cms admin pannel, then next step was to upload a php revshell to get shell on box. User was basic enumeration, to find a password backup file but root was interesting and was about
Wildcard injection, in the end I learned something new and usefull.
As always let’s start off with nmap script nmap -sC for default scripts
Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Alright, I guess our attack would be on webserver which is running on port 80.
As soon as we open the website we can see it’s using Gila cms, though we can’t find any version information. So launching a gobuster scan.. on enum a little we can see it’s a simple blog post site.
Gobuster gave a lot of false positive for me, but it located
/admin directory which redirected us to a login page but it needed creds, the box creator Optional mentioned that the box doesn’t require brute forcing which was unique for a thm box. Anyway so I started enumerating more but got nothing, in the end i saw the hint for user flag.
And I realised I missed the note to add ip as
/etc/hosts, so after adding it in I started to look for subdomains. I did it using
turbo intruder which is a burp suite extension, though you can also use gobuster or ffuf for it but I will cover
turbo intruder for this writeup. Thanks
pop_eax for telling me about it.
Alright so first step is to intercept the request of
http://cmess.thm on burp and send it to repeater, on repeater tab add a
%s on the location you wanna fuzz.
Now simply change the wordlist in the python code, i used
/usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt, click on
Attack to start bruteforcing for subdomains.
And it found
dev.cmess.thm. Navigating to that subdomain and we get this.
So we got credentials for
email@example.com. And yep we successfully loggined into the cms admin pannel using these creds.
On dashboard, in content, file system seems like we can upload files to webserver. I am going to use the one by pentest monkey, you can get it from here. And it got uploaded successfully to the server at location
http://cmess.thm/assets/shell.php. note shell.php is the name of file[revshell] I uploaded.
Starting the netcat listener
http://cmess.thm/assets/shell.php and watt no revshell, looked at the file[reverse shell] on cms it was empty, on a little enum, i figured our user doesn’t have perms to upload file yet but we can easily give admins all perms and get admin role n Administration/user section, repeating the process and yep we finally got our revshell.
Using ssh to get a shell as andre.
Rooting the Box
On running linpeas on server we find this cronjob.
We can find a note about how to privesc using tar on GTfobins. but here we don’t have sudo access to tar instead a root cronjob is running tar command. I had a hard time figuring it out that we need to do
wildcard injection. This is a good article that helped me to privesc. This is the third link if you google
tar privesc, google is your best friend.