So, before I start writing the steps taken to compromise the box, I honestly found the box very different than the usual and hence had to spend some time to crack this.
A default TCP scan exposed the below service running
I normally start testing the box on port 80. This includes directory brute force, nikto scan, robots,txt / sitemap.xml etc.
However, none of this worked for me.
Hence, I was forced to investigate other exposed services.
I Used netcat to grab for version related details for the 110,143 and found the below:
This presented me with a welcome message from Fowsniff Mail server
However again I have nothing more to do here accept than looking for any possible exploits around this.
Finally, I used nmap again to grab version specific details for the exposed services.
Below was the observation:
I googled for any possible exploits for the mentioned versions however was unable to successfully get something that would help taking over the box.
I finally back to the webpage and this time noticed something that was missed by me in the first shot.
Googling about Fowsniff landed me here:
As the message confirmed that the passwords were MD5 hash, I used john to crack the hashes.
As, certain login credentials were gathered I attempted SSH, however ended up with no luck.
Next, I tried accessing the mailbox of the servers on POP3
Finally using the List command along with the RETR, I was able to gain another clear text credential.
Next was to use the enumeration credential somewhere, hence the only option left was the SSH protocol.
We had multiple usernames and a single password S1ck3nBluff+secureshell, hence multiple tries were made, and I was eventually successful.
This was the trickiest part of the box.
I ran the linux exploit suggester and other scripts to check for any sensitive info or privilege escalation opportunities, however no luck.
No exploits worked for me.
After multiple unsuccessful attempts and loads of frustration, I thought to check for the SSH banner file.
The below command generated and error
cat /etc/motd hence I need to google about the same which landed me here
I understood that the file on the location “/etc/update-motd.d/00-header” is responsible for the message of the day being presented.
Having a looks at it revealed the following:
Upon reading the file we noted that the script contains another files cube.sh that resides within /opt/cube
Also, the user can write to the file
I edited the file and added to it a perl based reverse shell payload.
Next was to setup a listener on the mentioned port and re-login ssh.
This in return gave what was expected