My CMSMS: 1,498/



  • Enumeration will indicate a CMS interface with mysql servers
  • Use default credentials to check for access
  • Find password hash in database and update
  • Login to the CMS interface with the newly updated password
  • Find for interface exploits and upload a reverse shell
  • Find for hidden user credentials and decode it
  • Check for sudo permissions to gain privilege access


Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.


default credentials do not work.


Same with the php admin page.

Let’s try enumerating the SQL server.

We start with logging on to the MYSQL server with default creds of root:root

accessed gained

View databases

Let’s use the application db

View tables

use cms_users
Let’s search for username , password and email

Found a hash password but I’m unable to crack the hash. Let’s see if we can edit the password section in the server.

After some googling , I found a MYSQL query to update a new password hash:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'persecure'))) where username = 'admin';

I found an exploit for the 2.4.14 version of CMS MS. But it doesn’t seem to work.

Let’s login to CMS MS admin with the new password.

Found an exploit is exploit.db

Upload a PHP reverse shell and change the extension to .phtml and start a netcat listener.

Click on the newly uploaded file.


User access is gained.

Found a hash password.

Used cyberchef to crack the hash. The hash is double encoded. Base64 & Base85.


Switch to the armour user.

check for sudo permissions

Privilege escalation

We are able to use python to gain a root shell.

Found the final flag.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s