Post

THM CMSpit Walkthrough

Posted Updated
Preview Image
By 1 min read

Description: Dive into the world of web app hacking and privilege escalation with this TryHackMe machine, exploiting recent vulnerabilities.

Difficulty: Medium

Machine Link: CMSpit on TryHackMe

1. Enumeration

Nmap Scan Results

Two ports are open:

  • 22 [SSH]
  • 80 [HTTP]

At port 80, I spot Cockpit CMS on the landing page.

Cockpit CMS Landing Page

2. Exploitation

Searching for “cockpit” in msfconsole, I identified a promising exploit.

Cockpit CMS Exploit

Configuring rhost, lhost, and lport, I executed the exploit successfully. Here’s the output.

User Enumeration

Next, I selected the ‘admin’ user and reran the exploit, gaining a shell.

Getting Shell Access

3. Privilege Escalation

Now operating as www-data, I navigated to the home directory and discovered a user named stux.

Accessing user stux’s homepage, I stumbled upon an intriguing dbshell file. Examining its contents revealed the second flag and what appears to be a password.

Home Directory Contents

I tested the discovered password and successfully gained access. Running sudo -l provided an interesting output:

Stux Permissions

With the acquired sudo permissions for user stux, After a brief search, I stumbled upon this exploit: CVE-2021-22204 ExifTool

The exploit requires some prerequisites:

1

sudo apt install djvulibre-bin exiftool

The usage involves setting up a listener:

1
2

nc -nvlp 9090  # or the port you specify in the exploit.py file
python3 exploit.py

Then, upload the generated image to the target machine and run:

1

sudo /usr/local/bin/exiftool image.jpg

Executing this payload triggered a successful root shell!

Root Shell

TryHackMe, Privilege Escalation
THM Linux Privesc
This post is licensed under CC BY 4.0 by the author.

Trending Tags

Privesc Linux THM Windows