offsec

MY-CMSMS OffSec Walkthrough

INFOXIDE
1 Min Read
MY-CMSMS OffSec Walkthrough

MY-CMSMS OffSec Walkthrough: We are going to exploit one of OffSec Proving Grounds Medium machines which called My-CMSMS and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.

Contents
Enumeration:Getting RCE:Privilege Escalation:

Enumeration:

  • Nmap: 
  • Login to the remote mysql using root:root
  • Exploring cmsms_db Database:
MySQL [cmsms_db]> show tables; +——————————–+ | Tables_in_cmsms_db | +——————————–+ | cms_additional_users | . . . | cms_users | | cms_users_seq | | cms_version | +——————————–+ 53 rows in set (0.328 sec)
mysql database
  • Updating the admin password:I couldn’t crack the MD5 hash, so let’s just try to update the password to something we already know, I found this blog post and it shows the MySQL query to update the password: 
  • Executing MySQL Query:
    • This query will update the admin password to admin:update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'admin'))) where username = 'admin';

Getting RCE:

  1. Generating bash reverse shell payload and starting a Netcat Listener: 
  2. Injecting bash payload to the application: 
rev shell upload
  1. hit the submit button, then open the shell:
shell
  1. Hit Run:
rev shell run
  1. We got RCE: image

Privilege Escalation:

  • LinEnum:
found armour password
  • Decoding: 
  • Creds:
    • User: armour
    • Pass: Shield@123
  • Getting root: image

Finaly this lab solved see you on next lab Happy Hacking 😉

Also Read | FunBox OffSec Walkthrough

TAGGED:
Share This Article
Previous Article FunBox OffSec Walkthrough FunBox OffSec Walkthrough
Next Article BTRSys2.1 OffSec Walkthrough BTRSys2.1 OffSec Walkthrough
Infoxide Security Live Hacking Workshop
Infoxide Security Certifications
infoxide Security telegram channel

Trending News🔥