Open in app

Sign in

Write

Sign in

malfunction-grinds
4 min readJun 10, 2022

HackTheBox: CMSpit Room Walkthough

HackTheBox: CMSpit Room Walkthough

I have a pending application for a company in New Zealand. One of their screening processes is a CTF in HTB. I was having a hard time capturing the flag. So, what I did is to try another box to brush up on my knowledge and probably have clues in solving their CTF.

It involves a CMS. So I tried another room that would be CMS related. I found CMSpit.

Recon

As usual, fire up NMAP to scan for open ports. -sS — Syn scan, -sC — use default NMAP script, -sV include versions, -A — aggressive scan.

-sS — Syn scan, -sC — use default NMAP script, -sV include versions, -A — aggressive scan

Also immediately opened a browser and typed in the ip address.

After knowing a webpage. I then opened Nikto and Dirbuster after testing known credentials like admin:admin, administrator: administrator , admin:password etc. No go.

Nikto is taking its sweet time. So I decided to go to the webpage again and hit Inspect Element. From there I saw the version number of Cockpit CMS.

Since I already know the CMS and its number, I tried going to the following:

http://10.10.36.235/cockpit/admin
http://10.10.36.235/cockpit/admin.php
http://10.10.36.235/cockpit/admin.html
http://10.10.36.235/Cockpit/admin

and other combinations….nada.

Opened Searchsploit and looked for vulns for Cockpit

It has a few entries but not specifically for the version.

Checked Google. Discovered that all Cockpit versions before 0.11.2 are vulnerable to a NoSQL injection via the Controller/Auth.php check function. CVE number is CVE-2021–22204.

https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848

Download one of the readily available reverse shells online and uploaded it in the CMS. Then use the ‘finder’ feature and uploaded it.

After that, I just went to <ip>/,reverseshell.php>to run the shell.

Once I got an initial shell, I sent Linux smart enum to help me enumerate the machine efficiently and faster.

LSE found multiple vectors but found the MongoDB vuln more interesting.

Confirmed that MongoDB is indeed running locally and listening to port 27017

Tried connecting to MongoDB:

  • Mongo <ip>:<portnumber> >>OK
  • Show dbs

Listed 3 databases
Admin (empty)
Local
sudousersbak

  • use sudousersbak (to select the ‘sudousersbak’ database)
  • show collections (to get the list of collections created)

it listed 3 collections
flag
system.indexes
users

From here I should be able to view the flag and password of some users.

  • db.flag.find()
  • db.users.find()

Now that I have stux’s password, I launched ssh and connected as him.

From the result of sudo -l, I should be able to get the root flag.

But, the exiftool vulnerability is really interesting. Theoretically I should be able to have my own malicious shadow file imported and be used by the system (at least as per GTFOBins). Another way is to exploit CVE-2021–22204 — Exiftool RCE.

Hackthebox Writeup
Cmspit
malfunction-grinds
malfunction-grinds

Written by malfunction-grinds

9 Followers
2 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams