Skynet

https://tryhackme.com/room/skynet

Reconnaissance

Don't lose time and start an nmap scan as always:

> nmap -sS -T5 -A -p- <TARGET-IP>

While the scan is running let's check the webpage, which seems a search engine:

Main webpage

Meanwhile the scan is over. That is the result:

NMAP SCAN PART 1
NMAP SCAN PART 2

As you can see SMB is running on the server. We need to find Miles' password for his emails, so maybe something interesting can be found on the shares. Let's enumerate them:

Results of smbmap

In anymous there could be something interesting. Let's access to the share using smbclient:

We logged as anonymous, without providing the password. Remember that we are looking for a password, so the logs directory seems cool. There we found three logs files: only the log1.txt as something in (as you can see logs2.txt and logs3.txt has 0 bytes). Let's download it on our machine and open it:

log1.txt downloaded from the server

It seems like a list of passwords, but where can we try them? We should find a login page. In order to that let's use dirbuster:

Dirbuster settings

After running that scan we find a directory called squirrelmail. Let's open it on the browser. It is a login page, so we can use BurpSuite to brute-force Miles' account. Firstly we intercept the login request:

Squirrel mail login page
Squirrelmail login page request

We know from smb shares that the username might be milesdyson, and the password one in the log1.txt. Let's send the request to the Intruder. Here we start a sniper attack, after loading the password list:

Brute-force attack 1
Brute-force attack 2

Finally we can start the attack. Here BurpSuite will try the different entries in Payload Options, giving back responses and length. This process may take few minutes with the free version of BurpSuite.

When the output length of a response is different from the others, you might have found the correct password.

So the password for milesdyson is cyborg007haloterminator. Let's login on squirrel mail. Here we found an email with the password for smb: we use it to log in:

Smb access to the server

In important.txt we find the hidden directory. Let's run a dirbuster scan on this directory. Reading through the output, /administrator/index.php catches our attention. We open it:

Cuppa cms login page

It gives us a login page for the administration of the CMS. How can we find the credentials? We tried with default credentials, but it didn't work. Let's google for Cuppa CMS known vulnerabilities, and we find the exploitdb page. By reading it we understand that we can perform remote commands execution on this link: http://<TARGET-IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Output of previous command

But, what do we want to achieve? We need a reverse shell in order to get the user flag and then escalate our privileges to root. In order to do that we create a reverse shell php payload on our local machine and then, through HTTP, we access it from urlConfig parameter.

Let's download the payload here (remember to change ip adress and port number) and start SimpleHTTPServer:

In order to pop the shell we need a listener to our local machine:

nc listener waiting for connections
Reverse shell

BOOM! We got a shell as www-data and easily get the user flag.

Before jumping into the privilege escalation section, we want to stabilize the shell and then spawn a TTY shell.

When you get a reverse shell it's often weird: you can't autocomplete with TAB or see the history etc.. It's a good practice to upgrade the simple shell to a TTY shell for a better user experience.

So our first goal is to stabilize the shell. We do that using the python pty module:

Using python to stabilize the shell

Now we can see for example the id of the user running the shell. A better version compared to the shell we had before, but we still can't complete with tabs and stuff like that. Let's suspend this session by entering ctrl-z:

Upgrading shell part 1

So we want the reverse shell to look like our shell. Let's do this with the help of this page. (I suggest you to bookmark that, you can find a lot pre-built payload that can be useful).

Upgrading shell part 2

When we hit enter our terminal will be cleared up and we will have a fully-functional tty shell. Looks good right?

Shell successfully upgraded

Privilege Escalation

We are currently logged in as www-data and we want to get to root. We will use linpeas for that purpose.

Linpeas is a swiss-knife automated tool for privilege escalation. It provides useful information about the target machine such as SUID binaries and cron jobs.

I have it on my own computer, so we need to move it. Before that we must find a writable directory:

Now we move linpeas.sh in /var/tmp through HTTP:

Moving linpeas.sh part 1
Moving linpeas.sh part 2

Nice! Let's run it. We get a HUGEEEE output. With a lot of patience and research, in the cron jobs section we found that there is a bash script executed every minute.

backup.sh code

Analyzing the code we discover that it's vulnerable to Wildcard Injection, thanks to the use of the "*". So let's create a malicious script in the /var/www/html directory:

Now after a minute, /bin/bash should be a SUID binary. Let's open a new shell and see if we are root:

As you can /bin/bash is after a minute a SUID binary

Awesome! We reached root!

PreviousVulnversityNextSteel Mountain

Last updated

Was this helpful?