# THM | CMess This is a Linux box. You can find it [here](https://tryhackme.com/r/room/cmess). #### Skill Learned * Enumerating CMS (Gila) * Escalation via Cron Wildcards ## NMAP

nmap scan

### Port 80

port 80

/robots.txt

/robots.txt

/src/

/src/

We can see there is Apache 2.4.18 /login/

/login/

on wfuzz for subdomain we found dev ``` wfuzz -c -u http://cmess.thm/ -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400 --hw 290 ```

wfuzz for subdomain

dev.cmess.thm

dev.cmess.thm

we have the cred, now login and /admin
## Foothold/shell found this

running exploit

and we are in

shell

## Priv Esc ``` find / -type f -perm -04000 -ls 2>/dev/null ```

find / -type f -perm -04000 -ls 2>/dev/null

Nothing intersting was found, now let's look for find sensitive files ``` find / 2>/dev/null | grep password ``` found .password.bak

found .password.bak

found Andre's password
and we are in as Andre
found user.txt

user.txt

let's look at crontab ``` cat /etc/crontab ```

cat /etc/crontab

I made a mistake in cmd we need '=sh\ runme.sh'
after a minute or 2, we have a bash file
and we are the root