Post

TryHackMe toc2

Posted
By
1 min read

#toc2

alt text

ssh and http is open, enumerat http and get initial footstep alt text

run a directory scan we got something “cmsmsuser:devpass” i dont know what it is maybe some credentials for cms user alt text

we have robots.txt

alt text

go to “/cmsms/cmsms-2.1.6-install.php” this path

alt text its a CMS Made Simple™ 2.1.6 so search for any exploits that we can exploait

alt text

CMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txt we can use this

alt text

fill this with the info we got and turn on the proxy to eploit

alt text

we can execute payloads with this packet

replace the timezone with “‘junk’;echo%20system($_GET[‘cmd’]);$junk=’junk&next=Next+%E2%86%92” this code

alt text

alt text

here we go alt text

alt text

we have some files here read them to get some info

alt text

so we got a username and a password

frank:password alt text

we go the user flag , now we have to escalte the privilege

https://github.com/sroettger/35c3ctf_chals/blob/master/logrotate/exploit/rename.c

we have this link on the hint

alt text

the program readcard needs a file to input

nothing worked so we can use this rename.c to exploit this

alt text

exploit using the race condition

root: thm{7265616c6c696665}

tryhackme ctf
This post is licensed under CC BY 4.0 by the author.

Trending Tags

ctf tryhackme HackTheBox