- Enumeration will indicate a CMS interface with mysql servers
- Use default credentials to check for access
- Find password hash in database and update
- Login to the CMS interface with the newly updated password
- Find for interface exploits and upload a reverse shell
- Find for hidden user credentials and decode it
- Check for sudo permissions to gain privilege access
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
Let’s try enumerating the SQL server.
We start with logging on to the MYSQL server with default creds of root:root
Found a hash password but I’m unable to crack the hash. Let’s see if we can edit the password section in the server.
After some googling , I found a MYSQL query to update a new password hash:
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'persecure'))) where username = 'admin';
I found an exploit for the 2.4.14 version of CMS MS. But it doesn’t seem to work.
Let’s login to CMS MS admin with the new password.
Found an exploit is exploit.db
Upload a PHP reverse shell and change the extension to .phtml and start a netcat listener.
Click on the newly uploaded file.
User access is gained.
Found a hash password.
Used cyberchef to crack the hash. The hash is double encoded. Base64 & Base85.
Switch to the armour user.
check for sudo permissions
We are able to use python to gain a root shell.
Found the final flag.