CMesS Writeup

 

CMesS link


Enumeration

Whilst we know we're dealing with a cms on this box, lets start off with a nmap scan anyway, just in case there's any other services exposed on the box that we may need to know about or access.



And it doesn't look like there's anything else of interest here, we could run another scan and use -p1-55635 to scan through a bunch more ports than the common 1000 ports nmap uses by default, but I don't think we'll need to on this box.


After loading up the website we can see a pretty basic interface, we can see there seems to be a default footer at the bottom that mentions 2017 so possibly we could be looking at an older version of gila cms.
Lets run a gobuster scan on it and whilst we do that we can explore some of the website, try find a version for the cms and also maybe take a look to see if we can do anything with that search bar.



Manually searching through the website doesn't really reveal anything of interest, so onto a gobuster scan.
A whole bunch of junk shows up in the scan and robots.txt doesn't reveal anything of interest, but one thing does pop up and that's the /admin page, lets take a look at that.

Looks like we have a login page, lets load up burp suite and capture a request to see if there's anything interesting we can do with it.


Looking at the request capture by burp suite, we can see that we have a cookie being set and also have a post request with a username and password. After checking for sql and nosql auth bypass I seem to have come up empty handed.

I took a quick look at exploit-db and saw a few interesting exploits available, but none of them were effective on this version and some I skipped over such as the xss exploit as we won't have anyone interacting with the cms.

Time to go down other avenues, lets start by running ffuf and see if we can maybe find a subdomain that we don't know about.
In order to get a correct address from ffuf we'll need to apply a filter so lets run it for a few seconds without the filter to see what we can filter against in hopes of finding a vailid subdomain.



Looking at the results we can see that we are always getting a response code of 200 which is expected. Next we see the size has some variation to it even on false entries so we won't bother filtering against that, we could but we'd need to enter every common variation which would just be too tedious.
The next two options words and lines look like they are both consistent so lets just filter against words and see if we get a valid subdomain.


And sure enough we have a valid subdomain, let's go to it and see if theirs anything interesting. A small note, on live sites you could use something like gobuster, amass or sublist3r to bruteforce subdomains, but this room isn't going to have the domain name registered on a dns server so we can't in this instance. You'd also use something like ffuf if you needed to enumerate a virtual server where the ip address of the website and any subdomains are the same.
(Note: make sure you add the subdomain to your /etc/hosts otherwise you won't be able to access it)


And look at that, we have a password and some details around htaccess being misconfigured, lets go back to the admin page and see if we can get in. I did see a rce exploit on exploit-db earlier but it required valid credentials so we may give that a shot.


And just like that we're in! Looking at what we initially have, we have some administration options, but more importantly, we have a version.


Exploitation

Let's see if that rce exploit I found earlier is compatible with this version.


And sure enough, there's our version listed right next to the authenticated rce, lets test it out.


And sure enough it works! Now lets establish a more stable shell using socat and start enumerating the machine.


Now that we have socat on the machine we can start exploring. A quick check of sudo -l and we get prompted for a password so that's not viable, next we can have a quick look to see if we can access andre's account and we can't, so time to upload linpeas and let that do some quick enumeration for us.


A quick look through and we can see there seems to be a password.bak file that we can access, upon further inspection of the file it seems we have a password for andre, lets grab that and switch over to his account and grab the user flag.


Nice and easy, now for root.


PrivEsc

Earlier I noticed in the linpeas output that there is a cron job run by root which takes a backup of andre's home directory and creates a tar.gz file in the tmp directory, lets take a look at that.


As we can see in the cron job it is using a wildcard, this means if we create 2 files that are labeled as the checkpoint commands for tar, we can execute any command we want, lets copy /bin/bash into /tmp and add the suid bit to it.


Now all we have to do is wait a couple minutes for the cron job to run and then we should be able to get root. We can check to see if the file is read


And we're done, now we can go and grab the root flag!


Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more