Hello everyone ,this is my first writeup on THM room in medium. I will be trying to write this up in a lucid way ….
First things first we’re told to add the hostname to our /etc/hosts file.So just open /etc/hosts with nano or vim or any text editor you like ;and simply add the hostname <ip> cmess.thm
Now let’s proceed to a nmap scan ,and let’s see what we get; nmap -sV -T4 -A <machine ip>
As we can see ,port 22 and port 80 are open ,with port 80 running a web server. Heading over to port 80 we see a simple and pretty empty home page.
We can see Gila CMS is running on it ,and there’s also nothing important in robots.txt ,we have already seen that in our nmap scan ,so let’s move on to see if we can find hidden directories.Fire up dirbuster and let’s see
Proceeding to /admin ,we can see an admin panel .After a lot of tries ,it seems nothing is working ,so i looked for the hint given in the room ,and as per the hint ,we need to fuzz for subdomain. There are lot of ways to fuzz including using burpsuite turbo intruder ,but still I choose to stick to wfuzz (Reason : speed matters)
wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u “http://cmess.thm/” -H “Host: FUZZ.cmess.thm” — hl 107
Almost instantly it gave a result ;Interesting huh!!
We added this to /etc/hosts too, then navigated to the site and boom! We found some chat-looking thing with some credentials in it!
After getting the cred ,I tried to ssh in with these but no luck ; so went and tried this cred in admin panel cmess.thm/admin
Boom! We are in , now let’s try to find a place to upload our shell.
Great stuffs !! we see we have some type of directory listing now with some upload functionality, so lets see if we can upload a shell. (We are going to use Pentest monkey reverse shell)
We managed to upload a payload which goes in to the “assets” directory. Lets start a listener back in our machine; sudo rlwrap nc -lvnp 1234 (note: the port number should be same we gave in reverse shell) and then browse to http://cmess.thm/assets/reverseShell.php to get the server to process the payload.
Awesome !! we are in ; now let’s proceed for enumeration ,so we will open a python server back in our machine and in our compromised machine ,we will move on to /tmp and download linenum from our machineby wget for enumeration
After giving permission to execute ,run it by ./linenum.sh
Now let’s see if we get something interesting ;
Hola ,we can see some password file is there /opt ,let’s see what’s in it :)
On opening it ,we will get to see andre’s password ,now let’s ssh into the machine as Andre
Awesome ,now on doing ls ; we will see user.txt ,open it and we will find our first flag
Great, during enumeration we also did find something interesting in /crontab.Looking into our results from linenum we see that a cronjob is running as root in every 2 mins.
In the last line we can see thejob is running a tar command to backup the andre users “backup” directory and everything in it and because this tar job is running with the “*” wildcard parameter we can do a wildcard exploit.
Now we will proceed via Priv esc techniques of wildcard exploit ,but instead of using the traditional method of creating a msfvenom payload and starting a listener ,we will just proceed in a little different way
We will copy /bin/bash to /tmp/bash ,and will give execute permission and place it in /home/andre/backup ,followed by running tar commands
After that we will wait for a min for our bash script to get executed and to trigger it ,we will type /tmp/bash -p
Viola ,we are in as root ,rest find the flag and enjoy!!!!
To conclude : This was a great box and really demonstrated the issues behind using wildcard’s in automated jobs or scripts, and how a hacker can leverage these vulnerabilities to gain higher privileges.
I hope this writeup will be helpful for you;Thank you……
