Cockpit CMS and ExifTool Exploitation | TryHackMe CMSpit

Introduction

In this walkthrough, we demonstrated Content management system exploitation, namely Cockpit, and privilege escalation on Exiftool.

This is a machine that allows you to practise web app hacking and privilege escalation using recent vulnerabilities.

You’ve identified that the CMS installed on the web server has several vulnerabilities that allow attackers to enumerate users and change account passwords.

Your mission is to exploit these vulnerabilities and compromise the web server.

Finding the Foothold

My first step, as always, was to run an Nmap scan to see what services were running on the machine. The scan revealed two open ports: 22 (SSH) and 80 (HTTP). Since I didn’t have any credentials for SSH, I turned my attention to the web server on port 80.

Upon visiting the website, I inspected the page source and quickly identified the CMS as Cockpit, version 0.11.1. A quick search for this version revealed a known NoSQL injection vulnerability (CVE-2020-35846). This was my way in!

The vulnerability existed in how the application handled user authentication. By using Burp Suite to intercept and modify the web requests, I could exploit this flaw. I crafted a special request to the /auth/check endpoint to enumerate the users on the system and found four of them. Then, I targeted the /auth/newpassword endpoint to reset the admin’s password.

Once I was logged in as the admin, I found the email address for a user named “skiddy” and located the web flag in the “finder” section of the CMS.

From Web Access to a Shell

With access to the CMS, my next goal was to get a shell on the server. I found a file upload feature and used it to upload a PHP reverse shell. I had to modify the shell script with my own IP address and a port number I wanted to connect back to.

On my machine, I started a Netcat listener on that port. Then, I navigated to the uploaded PHP file in my browser, which triggered the reverse shell. Success! I had a connection and was now operating as the www-data user on the server.

I started looking around for more information. In the /home directory, I found a file called db_shell which contained the SSH credentials for a user named “stux“. I used these credentials to log in via SSH, which gave me a much more stable shell. From there, I was able to grab the user flag from the user.txt file in stux’s home directory.

The Final Climb to Root

Now for the final step: privilege escalation. I ran the sudo -l command to see what commands the “stux” user could run as root. It turned out I could run the exiftool binary with root privileges without a password.

I checked the version of ExifTool and found it was 12.05. Another quick search revealed that this version was vulnerable to CVE-2021-22204, an exploit involving specially crafted DJVU image files.

I found an exploit script online, downloaded it to the server, and used it to create a malicious image file. The exploit required a utility called djvumake to build the proof-of-concept file. When I ran exiftool on this malicious image as root, it executed my payload and gave me a root shell!

With full root access, I navigated to the /root directory and proudly read the contents of root.txt. Mission accomplished!

Technical Commands Used

Here’s a list of the technical commands I used on the terminal throughout this process:

• nmap -sC -sV [IP_ADDRESS]
• git clone [URL]
• cd php-reverse-shell
• nano php-reverse-shell.php
• nc -lvnp 4545
• python -c 'import pty; pty.spawn("/bin/bash")'
• id
• ls -la
• cat db_shell
• ssh stux@[IP_ADDRESS]
• cd home
• cat user.txt
• sudo -l
• cd /usr/bin
• exiftool -ver
• cd /home/stux
• nano exploit.sh
• touch image.jpg
• ls
• chmod +x exploit.sh
• ./exploit.sh "bin/bash"
• sudo /usr/bin/exiftool delegates.jpg
• cd /root
• cat root.txt

Video Walk-through

Room Answers