https://www.vulnhub.com/entry/my-cmsms-1,498/
@_p4nk4j
Review
- Enumeration will indicate a CMS interface with mysql servers
- Use default credentials to check for access
- Find password hash in database and update
- Login to the CMS interface with the newly updated password
- Find for interface exploits and upload a reverse shell
- Find for hidden user credentials and decode it
- Check for sudo permissions to gain privilege access
Enumeration
Run nmap scan to find for open ports.
Port 80
Run a gobuster scan to find for hidden directories.
/admin
/phpmyadmin
Let’s try enumerating the SQL server.
We start with logging on to the MYSQL server with default creds of root:root
View databases
View tables
Found a hash password but I’m unable to crack the hash. Let’s see if we can edit the password section in the server.
After some googling , I found a MYSQL query to update a new password hash:
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'persecure'))) where username = 'admin';
I found an exploit for the 2.4.14 version of CMS MS. But it doesn’t seem to work.
Let’s login to CMS MS admin with the new password.
Found an exploit is exploit.db
Upload a PHP reverse shell and change the extension to .phtml and start a netcat listener.
Click on the newly uploaded file.
Foothold
User access is gained.
Found a hash password.
Used cyberchef to crack the hash. The hash is double encoded. Base64 & Base85.
armour:Shield@123
Switch to the armour user.
check for sudo permissions
Privilege escalation
We are able to use python to gain a root shell.
Found the final flag.
Persecure : my learning archive 