THM | CMess

This is a Linux box. You can find it here.

Skill Learned

• Enumerating CMS (Gila)

• Escalation via Cron Wildcards

NMAP

nmap scan

Port 80

port 80

/robots.txt

/robots.txt

/src/

/src/

We can see there is Apache 2.4.18

/login/

/login/

on wfuzz for subdomain we found dev

wfuzz -c -u http://cmess.thm/ -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400 --hw 290

wfuzz for subdomain

dev.cmess.thm

dev.cmess.thm

we have the cred, now login and /admin

Foothold/shell

found this https://www.exploit-db.com/exploits/51569

running exploit

and we are in

shell

Priv Esc

find / -type f -perm -04000 -ls 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null

Nothing intersting was found, now let's look for find sensitive files

find / 2>/dev/null | grep password

found .password.bak

found .password.bak

found Andre's password

and we are in as Andre

found user.txt

user.txt

let's look at crontab

cat /etc/crontab

cat /etc/crontab

I made a mistake in cmd we need '=sh\ runme.sh'

after a minute or 2, we have a bash file

and we are the root