Checking out port 80 takes us to the default page for CMS made simple.
I then run dirsearch.py against the host which also discovered phpmyadmin which was locked behind http-basic-auth.
I attempted to bruteforce the login for phpmyadmin and for CMSMS login. I was unable to find any valid credentials for either.
I was however, able to login to MySQL remotely with the credentials
From here we can view the databases and move into the cmsms_db database.
Looking at the tables that exists in the database we select all columns from cms_users table.
This reveals a MD5 password hash for the admin account. I was unable to crack this with several word lists however.
As we are the root account on MySQL we can instead change the password to something we know and use this to login to CMSMS.
Run the following command to create a new password of ‘weakpass’ for the admin user:
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'weakpass'))) where username = 'admin'
The password has now changed:
We can then move over to the /admin/ directory in the browser and login with the new credentials.
Searching for exploits on CMSMS now that we are authenticated gives a few results.
As we are running version 2.2.13 I will try the Arbitary file upload for version 2.2.14.
Once the python script was downloaded I executed with the following syntax:
When ready I set a
netcat listener and prompted the script to continue resulting in a shell as www-data.
Moving around the target machine we have a .htpasswd file hidden in
/var/www/html/admin/. When running
cat on the file we get the value
From here we can decode with base64 then base32 as this string is double encoded.
We can then use
su to switch to the armour account and login with the password we have discovered.
sudo -l shows we can run python as root without declaring a password.
We can then spawn a root shell with python.