This medium level machine features a Gila CMS vulnerable to Authenticated Remote Code Execution. We exploit this manually to gain a reverse shell. We then move laterally to another low privileged user to get deeper into the machine. Finally, we escalate to root by abusing cron wildcards.
Enumeration
After performing an nmap scan we can review the results. We find 2 ports open with SSH and a web server running on the machine.
nmap -p- -sVC <IP> -v -oN nmap_results PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA) | 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA) |_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-generator: Gila CMS | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) | http-robots.txt: 3 disallowed entries |_/src/ /themes/ /lib/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SSH is usually not a helpful place to look but if we get stuck we’ll try that. We navigate to the web page in a browser and we get a Gila CMS default blog page. Navigating around there isn’t much here apart from a default first post.