CMesS (TryHackMe Walkthrough)
<p>This medium level machine features a Gila CMS vulnerable to Authenticated Remote Code Execution. We exploit this manually to gain a reverse shell. We then move laterally to another low privileged user to get deeper into the machine. Finally, we escalate to root by abusing cron wildcards.</p>
<blockquote>
<p>Find me on <a href="https://twitter.com/meliendrez" rel="noopener ugc nofollow" target="_blank">Twitter</a>, <a href="https://www.linkedin.com/in/jmeliendrez/" rel="noopener ugc nofollow" target="_blank">LinkedIn</a> and <a href="https://www.youtube.com/@pr0tagnist" rel="noopener ugc nofollow" target="_blank">Youtube</a>.</p>
</blockquote>
<h1>Enumeration</h1>
<p>After performing an nmap scan we can review the results. We find 2 ports open with SSH and a web server running on the machine.</p>
<pre>
<strong>nmap -p- -sVC <IP> -v -oN nmap_results</strong>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-generator: Gila CMS
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</pre>
<p>SSH is usually not a helpful place to look but if we get stuck we’ll try that. We navigate to the web page in a browser and we get a Gila CMS default blog page. Navigating around there isn’t much here apart from a default first post.</p>
<p><a href="https://medium.com/@pr0tag0nist/cmess-tryhackme-walkthrough-7ff6f6a6d0dc"><strong>Read More</strong></a></p>