Super-Spam - THM

The ports after the initial scan, apart from the usual service on port 80, are fairly uncommon, like FTP on 4019 and SSH on 4012. The first I tried (more because this is a CTF than anything else) is to anonymously login to FTP, which gave us access to quite a few files. From the note, we could assume adam and super-spam are usernames. We also learn that the capture file is a reminder of how the alien got in, so we download that for further analysis and give it to Wireshark. While we study it, we could also run a bruteforce against FTP and SSH, just in case.

Midway through the packet capture you will start noticing a lot of deauthentication packets, so this might be a deauth attack. If this is how the alien gained access, maybe he was successful in capturing a handshake and later cracking the gathered hash, so we'll try to do the same. Using aircrack-ng we can try to crack the hash, but I preferred to use it only to generate the hash in a hashcat-friendly format (-j flag) so that I could try cracking it in hashcat.

It won't take long before hashcat cracks it, and there we have a password. But what can we use it for?

Let's take a look at port 80. Looking at post authors we can add the following usernames to our list:

BenjaminBlogger 
LucyLoser
AdamAdmin 
DonaldDump 

We now use this list against the login page of the web server trying with the password we found earlier (password reuse is a life saver while pentesting), successfully authenticating into the CMS.  

Googling the CMS version we find an interesting article that says

The experts pointed out that the flaw could have been exploited to add PHP extension in the list of allowed extensions and then upload the file.

Which is exactly what we'll do. A disclosure on HackerOne gives you full details on how to perform this attack, and in no time you have a reverse shell as www-data. Looking at /etc/passwd we find out that not all of our usernames were good, as a matter of fact the only valid ones were:

super-spam:x:1000:1004:,,,:/home/super-spam:/bin/bash
lucyloser:x:1001:1005:,,,:/home/lucyloser:/bin/bash
benjaminblogger:x:1002:1006:,,,:/home/benjaminblogger:/bin/bash
donalddump:x:1003:1007:,,,:/home/donalddump:/bin/bash

There is also an interesting mysql user, is there a db somewhere? Looking at listening services there is a local listening DB on 3306. Lost a bit of time on that to no use, that is not where you should be looking at.

Besides that, we can read both the first flag and a note snooping around in user homes. The users' homes are in a huge mess so you will probably need to search them little by little to make sure you don't miss anything, it's a good training of thorough enumeration. Don't miss the python script among the many images and be sure to read the note. Move what you need to the attacking machine (the note should tell you which files are useful and which aren't) and retrieve the hidden credential.

With this new password you can login as one of the other users on the machine. Look in his home and you'll notice a "passwd" file. You can use this to login to the VNC server, which runs as root. Retrieve the flag, decode it and you are done.

As always, merry hacking! ;)