Play a game to gain access to a vulnerable CMS. Can you beat the odds?
This is Sustah from THM. It’s medium rated. We have another ‘hint’:
The developers have added anti-cheat measures to their game. Are you able to defeat the restrictions to gain access to their internal CMS?
SSH and HTTP, plus another HTTP port (8085).
The front page is a picture, with a quote:
“What you are is what you have been. What you’ll be is what you do now.” Buddha
Cool, cool. Dirsearch draws a blank. Doesn’t sound like a game though; let’s try the other port.
Here’s the game. We find a ‘spinner’ wheel (like roulette), which we can ‘spin’. There is also a message:
Feeling lucky? Guess the right number. You have a 0.004% chance of winning.
We can enter a number, and press a button to submit it. Capturing the request shows the number is submitted as a POST request to /home. 0.004% corresponds to 1 in 25000, so it’s just brute force the request with 25000 numbers, right?
Well yes, but it’s not quite that simple.
When we send a request, the server sends back a response like this:
Sending more than 10 requests quickly results in a 429 - Too many requests error.
I hadn’t seen this before, but some research revealed we can set some headers of our own to try to bypass this. In the end what I did was write a script to use cURL to brute force the server, with the additional headers and also setting the user agent to the number I was sending as well; just so it wasn’t always the same. I got the script to diff the server response for each value against a prototypical bad response until I got something different:
This script, after some time, revealed the answer: /YouGotTh3P@th
The path doesn’t go with port 8085, it goes on Port 80. And here, we find something called MaraCMS, which is a (sorry) butt-ugly CMS written in PHP. You can login with default credentials (which then have to be changed); this gets you an admin account. After that I just clicked around until I found a way to upload a shell, it wasn’t difficult but then later I Googled and found instructions. Bingo. I used the Pentestmonkey PHP reverse shell.
We have one main user; kiran. Enumerate the server to find his password:
No sudo, but something similar….
Linpeas shows me something I’ve never seen before:
The doas utility is a program originally written for OpenBSD which allows a user to run a command as though they were another user. Typically doas is used to allow non-privleged users to run commands as though they were the root user. The doas program acts as an alternative to sudo, which is a popular method in the Linux community for granting admin access to specific users.
Right, so it’s basically sudo. So, with that and GTFOBins, we should be good?