Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 80
  • Foothold/shell
  • Priv Esc
  1. Linux

THM | CMess

PreviousHTB | BoardLightNextTHM | ConvertMyVideo

Last updated 7 months ago

This is a Linux box. You can find it here.

Skill Learned

  • Enumerating CMS (Gila)

  • Escalation via Cron Wildcards

NMAP

Port 80

/robots.txt

/src/

We can see there is Apache 2.4.18

/login/

on wfuzz for subdomain we found dev

wfuzz -c -u http://cmess.thm/ -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400 --hw 290

dev.cmess.thm

we have the cred, now login and /admin

Foothold/shell

found this https://www.exploit-db.com/exploits/51569

and we are in

Priv Esc

find / -type f -perm -04000 -ls 2>/dev/null

Nothing intersting was found, now let's look for find sensitive files

find / 2>/dev/null | grep password

found .password.bak

found Andre's password

and we are in as Andre

found user.txt

let's look at crontab 

cat /etc/crontab

I made a mistake in cmd we need '=sh\ runme.sh'

after a minute or 2, we have a bash file

and we are the root

nmap scan
port 80
/robots.txt
/src/
/login/
wfuzz for subdomain
dev.cmess.thm
running exploit
shell
find / -type f -perm -04000 -ls 2>/dev/null
found .password.bak
user.txt
cat /etc/crontab