Persecure : my learning archive

My CMSMS: 1

https://www.vulnhub.com/entry/my-cmsms-1,498/

@_p4nk4j

Review

  • Enumeration will indicate a CMS interface with mysql servers
  • Use default credentials to check for access
  • Find password hash in database and update
  • Login to the CMS interface with the newly updated password
  • Find for interface exploits and upload a reverse shell
  • Find for hidden user credentials and decode it
  • Check for sudo permissions to gain privilege access

Enumeration

Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

/admin

default credentials do not work.

/phpmyadmin

Same with the php admin page.

Let’s try enumerating the SQL server.

We start with logging on to the MYSQL server with default creds of root:root

accessed gained

View databases

Let’s use the application db

View tables

use cms_users
Let’s search for username , password and email

Found a hash password but I’m unable to crack the hash. Let’s see if we can edit the password section in the server.

After some googling , I found a MYSQL query to update a new password hash:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'persecure'))) where username = 'admin';

I found an exploit for the 2.4.14 version of CMS MS. But it doesn’t seem to work.

Let’s login to CMS MS admin with the new password.

Found an exploit is exploit.db

Upload a PHP reverse shell and change the extension to .phtml and start a netcat listener.

Click on the newly uploaded file.

Foothold

User access is gained.

Found a hash password.

Used cyberchef to crack the hash. The hash is double encoded. Base64 & Base85.

armour:Shield@123

Switch to the armour user.

check for sudo permissions

Privilege escalation

We are able to use python to gain a root shell.

Found the final flag.

Create a website or blog at WordPress.com