Vulnhub My CMSMS: 1 Walkthrough

by Vince
in Blog
Hits: 1417

The description states:  "Like its name, this box contains some interesting things about CMS. It has been designed in way to enhance user's skills while playing with some preveleges. Its a quite forward box but stay aware of rabbit holes."

I think the description pretty much nails it.  It's beginner to intermediate -- I think leaning definitely towards beginner but there are some rabbit holes that you might want to hammer on that could lead to some lost time.  I don't want to get too deep into it so let's kick it off with Nmap:

Although I see port 80 open, I immediately hone in on the open MySQL port which is blabbing which leads me to believe that we can access it.  I first try root with no password but then discover that it's just root : root

Because of the name, we already know there's a CMS, so we go looking for the database:

Looking for the users table:

We find it:

Let's see if we can get a hash:

I attempt to crack the hash but no such luck.  I then attempt to insert a hash of our own:

When I try to login:

I get denied.  Apparently, it's not just md5.

I do a quick search and I find this query which updates the hash:

Now we can login:

I go hunting for a way to insert PHP and I find:

Let's head over to user defined tags:

I create a user defined tag for a reverse shell:

I start a new post and enter the tag syntax:

It doesn't work.  Later I discover netcat is missing and I probably could have used Python.  Of course hindsight is 20-20.  Given that I failed in my reverse shell attempt, I try something smaller:

I also moved into the footer:

When I refresh the page:

Ok, so things are working and I start messing around with the file upload function.  I can't upload a php reverse shell with a .php extension but I can upload a shell with a .txt extension:

I attempt to rename the shell from our user defined tag:

I'm successful and I hit the shell from the browser:

With our handler setup:


I look for setuid binaries and I find:

This doesn't really make sense to me and I think it's a rabbit hole so I move on. 

Hunting around, I find:

This is double encoded, first with base64 and then with base32:

When we decode it, we get the username and password for the armour account.  We switch users to armour:

We check our sudo privileges and we learn that we can execute Python on behalf of root.  It's almost game over.  We execute a reverse shell with Python:

With our handler setup:


Game over. 

Fun box!  A couple of little rabbit holes to play in but aside from that, pretty straightforward.