Vulnhub My CMSMS: 1 Walkthrough

by Vince
in Blog
Hits: 1417

The description states:  "Like its name, this box contains some interesting things about CMS. It has been designed in way to enhance user's skills while playing with some preveleges. Its a quite forward box but stay aware of rabbit holes."

I think the description pretty much nails it.  It's beginner to intermediate -- I think leaning definitely towards beginner but there are some rabbit holes that you might want to hammer on that could lead to some lost time.  I don't want to get too deep into it so let's kick it off with Nmap:



Although I see port 80 open, I immediately hone in on the open MySQL port which is blabbing which leads me to believe that we can access it.  I first try root with no password but then discover that it's just root : root


Because of the name, we already know there's a CMS, so we go looking for the database:


Looking for the users table:


We find it:


Let's see if we can get a hash:


I attempt to crack the hash but no such luck.  I then attempt to insert a hash of our own:


When I try to login:


I get denied.  Apparently, it's not just md5.

I do a quick search and I find this query which updates the hash:


Now we can login:


I go hunting for a way to insert PHP and I find:


Let's head over to user defined tags:


I create a user defined tag for a reverse shell:


I start a new post and enter the tag syntax:


It doesn't work.  Later I discover netcat is missing and I probably could have used Python.  Of course hindsight is 20-20.  Given that I failed in my reverse shell attempt, I try something smaller:


I also moved into the footer:


When I refresh the page:


Ok, so things are working and I start messing around with the file upload function.  I can't upload a php reverse shell with a .php extension but I can upload a shell with a .txt extension:


I attempt to rename the shell from our user defined tag:


I'm successful and I hit the shell from the browser:


With our handler setup:


Excellent!

I look for setuid binaries and I find:


This doesn't really make sense to me and I think it's a rabbit hole so I move on. 

Hunting around, I find:


This is double encoded, first with base64 and then with base32:


When we decode it, we get the username and password for the armour account.  We switch users to armour:


We check our sudo privileges and we learn that we can execute Python on behalf of root.  It's almost game over.  We execute a reverse shell with Python:


With our handler setup:


#rootdance

Game over. 

Fun box!  A couple of little rabbit holes to play in but aside from that, pretty straightforward.