Skynet
https://tryhackme.com/room/skynet
Nmap
Task 1 #1
We can begin by looking at our nmap
results with the open samba shares. If we open up enum4linux and define the -a switch which stands for "Do all simple enumeration (-U -S -G -P -r -o -n -i)."
Using this we pull user and share information:
We have a user account of milesdyson and we can now check some shares out. As we can see from the above output access is denied for the milesdyson share but, anonymous should be open for us.
We can use smbclient
to connect.
We can download any files with the get command. Grab the log files inside the logs directory. Log1.txt contains some potential passwords. For now we are finished with the Samba side of things.
We could now answer question #1 with the information that we have. Lets move onto the next interesting port and verify the answer to the quesiton.
Port 80
Moving on over to port 80 we come to the following root directory.
I was not able to extract any interesting information from this page so I next turned to directory brute forcing.
We will be using gobuster as per below:
gobuster does not come preinstalled on Kali Linux so you will need to install with:
sudo apt-get install gobuster
the directory /squirrelmail/ is of interest. Once loaded we can put in the username we grabbed from our samba enumeration earlier.
Since we do not have many password to try we could manually try each password until we hit a valid result.
I will be using OWAS ZAP to fuzz for a valid response instead. I will not be detailing the process for setting up ZAP but you can find a great room on TryHackMe.com for setting up ZAP and a section on how to brute force web logins.
The following results have been shortened but as you can see once the fuzz on the password has completed we can measure the response size field in order to determine a response that would indicate a correct password has been found. Looking at the "Size Resp. Body" Column we can determine this password is valid (this has been removed from the image as per THM writeup guidelines)
After trying the username "milesdyson" which we found with enum4linux
earlier on I added the password found above and was able to login to SquirrelMail.
We can now use this to answer Task 1 #1
The latest email in the inbox looks interesting. When you open the email you should the samba password for milesdyson has been reset. Lets try smbclient
again.
Lets grab the important.txt file with the get
command and take a look at the contents with the cat
command.
Looking at number one this looks like a possible directory. Lets check it out.
We can also use this information to answer question #2.
As the hidden directroy did not contain any interesting information we can return to gobuster and further enumerate.
We find the /administrator/ directory which takes us to the following webpage:
I tried some of the milesdyson credentials we have gathered so far and was unable to login. I next turned to searchsploit
to look for any known exploits:
This takes us to the following exploit on exploit-db https://www.exploit-db.com/exploits/25971
After reading through the exploit we have a few methods on how we can proceed. I will be using the local file inclusion to call a reverse PHP shell.
Download the php file from the following URL: https://pentestmonkey.net/tools/web-shells/php-reverse-shell
Put this in a directory and edit the variables in the script to point back to the attacking machine. Start a python server on the directory with:
After this edit the exploit LFI URI to include the remote machine IP and to include the hidden directory we found earlier. We then need to change the end of the URI to represent the python server on the attacking machine.
Unless specified Python will use port 8000 as the port.
Before executing the LFI we need to set up a netcat listener to catch the shell.
I use port 443 as its usually reliable for accepting inbound connections. You will need to use sudo to set this port as it is in the 1-1024 range. Once the listener is running attempt to browse to our exploit URI and we should get a shell.
From here we can grab the user.txt flag
Privilege escalation
From here we have a backups folder in milesdyson's home directory which has an interesting bash script which can be used for privilege escalation. We will be gaining root by a different method.
First of all I downloaded Linuxexploitsuggester.sh
onto the victim machine and run it. We receive a few good probable exploits. The one we are interested in is CVE-2017-16995.
Head over to exploited-db at the following link: https://www.exploit-db.com/exploits/45010
Download the C code and upload it to the victim machine though the python SimpleHTTPServer which should still be running.
Now we need to compile the code. We have gcc
installed on the machine and can use this to compile the exploit. Once compiled we need to ensure we can execute it by using chmod +x
we can now run the exploit. I did not receive any confirmation once completed. We should have root after a short while. From here grab the root.txt flag from /root/root.txt
Last updated