InfoSec LAB

CMesS_Web

Created: 2 min read

Web

Nmap discovered a Web service on the target port 80 The running service is Apache httpd 2.4.18

Additionally, the target domain has been informed

The /etc/hosts file on Kali has been updated

Webroot The target web application appears to be built with Gila CMS

There is only one post Gila CMS is a content management system made in PHP and MySQL. Built with MVC architecture, is very easy to develop on it any customized solution.

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/thm/cmess]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.cmess.thm' -ic -mc all -fw 522
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.107.72/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.cmess.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response words: 522
________________________________________________
dev                     [Status: 200, Size: 934, Words: 191, Lines: 31, Duration: 2163ms]
:: Progress: [114437/114437] :: Job [1/1] :: 11 req/sec :: Duration: [0:18:25] :: Errors: 0 ::

ffuf found dev

The /etc/hosts file on Kali has been updated to include dev.cmess.thm

admin page

The admin page is located at /admin No known credentials for now

Authentication

CLEARTEXT credential disclosure has been identified at the virtual host / sub-domain; dev.cmess.thm

Authenticating

Authenticated as the andre user There is version information disclosure; 1.10.9

Vulnerabilities

┌──(kali㉿kali)-[~/archive/thm/cmess]
└─$ searchsploit gila 1.10.9
------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                    |  Path
------------------------------------------------------------------ ---------------------------------
Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)     | php/webapps/51569.py
Gila CMS < 1.11.1 - Local File Inclusion                          | multiple/webapps/47407.txt
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

The target Gila CMS instance suffers from a RCE vulnerability Moving on to Exploitation phase

Interactive Graph View

Backlinks