https://tryhackme.com/room/sustah

  • A roulette-like number guessing game needs to be beat in order to obtain access to the CMS.
  • Rate-limitation restrictions in the game prevent brute forcing techniques, but can be bypassed by specifying a couple request header fields.
  • Exposed default admin credentials in Mara CMS allows malicious arbitrary files to be uploaded to the server and allows remote code execution or a reverse shell connection.
  • Low-privileged user credentials are exposed in a backup file, and privilege escalation is possible due to a misconfiguration in doas.conf.

  • Port 22: SSH
  • Port 80: HTTP 
  • Port 8085: HTTP

The spinner game will provide us with the path to a CMS if we correctly guess the number.


The developers of the game implemented a brute-force anti-cheat measure. They rate limit the number of requests so that we can’t use a computer to guess all the numbers super quickly for us. This can be seen in the response headers after a guess POST request is made.

After too many guesses are attempted in a short period of time, the server responds with an error.

A couple of request header fields can be used to bypass relatively rudimentary implementations of rate limitation by tricking the server into thinking the requests are coming from itself and not an attacker.  (https://medium.com/bugbountywriteup/bypassing-rate-limit-like-a-pro-5f3e40250d3c)

    • X-Forwarded-For: IP
    • X-Forwarded-Host: IP
    • X-Client-IP: IP
    • X-Remote-IP: IP
    • X-Remote-Addr: IP
    • X-Host: IP

Burp Suite Intruder can be used to brute force the numbers value in the guess POST request, iterating over numbers until the correct guess is identified. 

Once the request headers are implemented, there are no more X-RateLimit response header fields. 

Once the correct number is guessed, the path of the CMS is displayed on the screen, /YouGotTh3P@th/. The CMS is on port 80.

The hidden path is /YouGotTh3P@th/, on port 80 – not the same port as the Spinning Game. 

Exploring Mara CMS blog, default credentials are found on /lorem page, along with a link to a login form. The default credentials are valid and grants access to the admin dashboard.

Success!

A quick exploit-db search shows Mara CMS 7.5 is susceptible to an authenticated remote code execution attack. The ‘about’ page for Mara CMS says this version is 7.2 so the exploit should be valid.

According to the exploit, a malicious .php file can be uploaded to the server (either a web shell or a reverse shell script). In this case I used Pentestmonkey’s php reverse shell script, modifying the listening IP and PORT.

Once uploaded, the file can be found in /CMS_path/img/file_name. A connection is made to the listener once the malicious php file is executed.

 A tty shell can be spawned with:

python < python -c 'import pty; pty.spawn("/bin/bash")' >

 

The www-data user doesn’t have permissions to read the user flag. To read the flag the current user needs to be Kiran or Root.

The low-privileged Kiran user’s credentials are exposed in a hidden passwd backup file.

Linpeas.sh privilege enumeration script identifies a misconfiguration in the doas.conf file

doas in this case lets the Kiran user run rsync as root, so kinda like sudo/SUID.

From gtfobins (https://gtfobins.github.io/gtfobins/rsync/), rsync can spawn a shell. Since Kiran can run rsync as root, the shell it spawn should also be in context of root.

Leave a Reply