A vulnerable Terminator themed Linux machine.
This is Skynet from THM. It’s easy rated, subscriber only and part of the ‘Offensive Pentesting’ learning path. I’ve decided to subscribe; I’ll just try one month at this stage and see if I like it.
We’ve got a few ports:
PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 110/tcp open pop3
- 139/tcp open netbios-ssn
- 143/tcp open imap
- 445/tcp open microsoft-ds
We can see there are a couple of shares; particularly anonymous and milesdyson. The milesdyson share requires credentials, whereas the anonymous one (duh) does not. In there we get a message about passwords needing to be changed, signed by Miles Dyson. There are also three ‘log’ files; two are empty and the other one contains what looks like a list of passwords.
The front page is a search box that doesn’t appear to do anything, and we’ve got no robots.txt.
Dirsearch finds a few things we don’t have access to (particularly admin and config), but also something we do: squirrelmail. This is a webmail client with a login page.
root@kali:/opt/tryhackme/battery# cat /opt/dirsearch/reports/battery.thm/_21-01-15_20-41-52.txt
200 663B http://battery.thm:80/admin.php
302 908B http://battery.thm:80/dashboard.php -> REDIRECTS TO: admin.php
200 2KB http://battery.thm:80/forms.php
200 406B http://battery.thm:80/index.html
302 0B http://battery.thm:80/logout.php -> REDIRECTS TO: admin.php
200 715B http://battery.thm:80/register.php
200 17KB http://battery.thm:80/report
301 311B http://battery.thm:80/scripts -> REDIRECTS TO: http://battery.thm/scripts/
200 2KB http://battery.thm:80/scripts/
403 292B http://battery.thm:80/server-status/
While searchsploit does have entries for squirrelmail, there are none for this version. So we need to break in.
I’ve used Hydra in the past to bruteforce login pages but it did have a little trouble with this. The error message given by the webapp for an incorrect login attempt was:
Unknown user or password incorrect.
Go to the login page
After some trial and error, I found that Hydra responded correctly (i.e. correctly identified the user:pass combination) if the error message was Unknown user or password incorrect or some part thereof, but NOT if the error message was specified as ERROR or Go to the login page. So, for example:
hydra -l milesdyson -P log1.txt 10.10.158.183 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown"
This worked, but this (below) did not:
hydra -l milesdyson -P log1.txt 10.10.158.183 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=ERROR"
This is fairly unsatisfactory, since not finding anything is a completely valid result; but we can’t tell if a null result is due to a problem parsing the page response OR if we don’t have a valid credential combination.
As an experiment, I tried Medusa instead to see if it behaved any better. But it didn’t seem to work at all.
After some more research I decided to try patator, about which the creator says: Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks.
Anyway, it seemed to work very well indeed and successfully grepped the response for the error messages like I would have thought Hydra should have, so it will now be my go to:
patator http_fuzz url=http://10.10.204.243/squirrelmail/src/redirect.php method=POST body='login_username=FILE0&secretkey=FILE1&js_autodetect_results=1&just_logged_in=1' 0=./username 1=./log1.txt accept_cookie=1 -x ignore:fgrep='ERROR'
The point of this exercise was to get us into Miles’s webmail, where we found his SMB password. With that we can login to his share and retrieve some information:
So now we have a hidden directory to investigate.
In the hidden directory under the /administrator subdirectory we find Cuppa CMS. There is a login page but checking searchsploit shows we don’t need to login, since we have an unauthenticated LFI/RFI vulnerability:
I host the PentestMonkey PHP reverse shell on my box and use the RFI:
And with a separate listener, we are on the box.
We are on as www-data but we can read the user flag from /home/milesdyson. We can also su to miles with the password we found earlier for his webmail, but we don’t need to. We have a root cronjob with a TAR wildcard to take advantage of: