Skynet : TryHackMe Writeup

Skynet

Executive Summary

In this engagement, we started by enumerating a SMB server, then we were able to access some interesting files that we then used to get an initial access to the target system by exploiting a web vulnerability. From there, we escalated our privileges by leveraging a wildcard injection attack.

Setup

A good practice to do after setting up the local hosts file, consists of making sure that the target replies to our ICMP request packets before running Nmap.

Reconnaissance

Nmap Scan

Nmap Scan

We have 6 open ports : SSH, HTTP, SMB, IMAP, POP3, NetBIOS.

Here, it’s crucial to know the frequently exploited ports on a Linux host before performing service enumeration, otherwise you will waste lots of time on uncommon exploited services.

Therefore, I will first start with HTTP and SMB.

Service Enumeration

SMB

SMB (tcp/445) is a network file sharing protocol that is used to share files and peripherals (printers, serial ports) between computers on a network.

Due to security misconfigurations, the SMB server can sometimes allow anonymous access. An anonymous access allows a user to connect to a share without providing any password.

The presence of an anonymous access is typically determined by checking for specific permissions or access levels.

To check that, we can use a tool called SMBMap which is a handy python script used to enumerate SMB shares.

Checking Anonymous Access

The command above lists the available shares on the SMB server with their respective permissions.

Note : You can notice that we didn’t specify any username in the command above. Indeed, SMBMap uses the Guest user by default.

As you can see the anonymous share allows anonymous access. If it was not the case, we would have got “No Access” under the permissions section.

Nevertheless, as you may notice, we can only read the content of the anonymous share. Let’s take a look at it. Shall we ?

Anonymous share content

-R : used to list recursively the directories and files of a specified share (anonymous in our scenario).

After listing the content of the share, we can notice that there are some interesting files (attention.txt and logs).

Let’s try to download them on our attacker system. For that, we are going to use a tool called smbclient.

Downloading anonymous share’s content using smbclient

Great! Let’s now check the content of each of the downloaded files :

Taking a look at the ‘attention.txt’ file, we can notice a person called Miles Dyson is urging all the employees to change their ASAP due to a system malfunction that occurred.

Furthermore, by displaying the content of the log1.txt file located in the logs directory, we can notice a list of words that look like passwords.

Excellent! Let’s now now enumerate the HTTP server.

HTTP

One of the first things to do after finding out a web consists of finding the technologies running on it :

Main Webpage

Thanks to Wappalyzer, we know that the version of the Apache webserver is 2.4.18.

Let’s check if this version is vulnerable. To do that, we can use searchsploit :

Exploit research

Unfortunately, we found nothing related to version 2.4.18.

However, let’s now try to perform some directory/file enumeration using Gobuster.

Directory and File Enumeration

Directory/File Enumeration

Great! We found some interesting directories.

Let’s check them out.

/admin

/config

/squirrelmail

Though we don’t have access to /admin and /config, we do have access to the /squirrelmail login webpage.

SquirrelMail is a web-based email application written in PHP and used to access and manage emails through a web interface. It provides users with a convenient way to read, send, and organize their email messages using a web browser.

Here, as an attacker we can leverage two attack vectors namely :

• Check if the squirrelmail’s version is vulnerable.
• Perform a brute-force attack against the login page.

Let’s first check by checking the version of the squirrelmail is vulnerable :

Exploit Research

Unlikely for us, we found nothing related to the version being used by our web-based email application.

With that said, let’s try the second attack vector which consisted of conducting a brute-force attack against the login page.

To do that, we need a valid username and a wordlist.

As a reminder, we found a name (miles dyson) when taking a look at the attention.txt file. This may be a valid username.

Regarding the wordlist, we can use the log1.txt file which seems to contain a list of passwords.

Let’s now intercept the login request with Burp Suite, then perform the brute-force attack using hydra :

Intercepting POST request with Burp Proxy

Brute-Forcing SquirrelMail login page

Now, you should be able to answer the first question.

[Task 2] — What is the hidden directory ?

Before going any further, let’s login to Mike’s email account :

Mike’s inbox

Here, the subject of the first mail caught my eye. Let’s check its content :

Skynet’s email content

Amazing! This is the password of Mike’s smb share.

Let’s try it. Shall we ?

Accessing Miles’ share

Awesome, it works !

As usual, let’s first download the files on our machine. For that, we’re going to use this time a tool called smbget which is a wget-like utility for downloading files over SMB :

Downloading Miles’ share content

Let’s check the content of the ‘important.txt’ file :

important.txt’s content

On the first line, we can see that Miles reminds himself that he needs to add features to beta CMS using a specific path /4xxxxx

Let’s access to this path in our browser :

Accessing skynet.thm/4xxxx

[Task 3] — What is the vulnerability called when you can include a remote file for malicious purposes ?

This is called a Remote File Inclusion (RFI).

Initial Access

[Task 4] — What is the user flag ?

In order to exploit the RFI vulnerability, we will first need to find a parameter where we can inject our malicious URL.

To do that, let’s perform a directory/file enumeration using the hidden path we found earlier :

Directory/File Enumeration

Administrator page

As you can see, the administrator page is running a CMS called Cuppa.

A good practice before performing any brute-force attack against a CMS will consist of looking first for its default credentials :

Cuppa CMS default credentials

Unfortunately, the default credentials did not work.

Trying to log in using the default credentials

Let’s now try to search for exploits related to this CMS :

Exploit Research

We can then download the exploit using the following command :

searchsploit -m 25971

Exploit Information

In order to exploit this vulnerability, we are going to generate a php reverse shell.

For that, we are going to exploit the remote file inclusion vulnerability.

In order to successfully exploit the RFI vulnerability, we are going to proceed as follows :

1. Configure the php reverse shell by changing its IP address and listening port.
2. Setup an external server on which the payload will be hosted.
3. Setup a netcat listener.
4. Exploit the RFI to obtain a reverse shell

You can find the php reverse shell in the /usr/share/webshells/php directory on your kali machine.

Configuring the php reverse shell

Note 📝 : Make sure to change the IP address and the listening port in the php reverse shell file.

Once done, let’s launch our python web server :

Setting up the http server

Then, let’s run our netcat listener

Netcat listener

Finally, let’s exploit the RFI :

Exploiting the RFI vulnerability

Wonderful, we got the reverse shell !

Reverse shell

After getting a reverse shell, it’s always a good practice to stabilize it :

Stabilizing the reverse shell

user.txt flag

Privilege Escalation

[Task 5] — What is the root flag ?

To get the root flag, we need to escalate our privileges.

Knowing that our target is running a GNU/Linux distribution (Ubuntu), we are going to download a privilege escalation script called Linpeas :

Once done, let’s download this script on the target machine using wget :

Once downloaded on the target machine, let’s give the script execution permissions, then run it :

Interesting! We found in the crontab list, a script (backup.sh) located in /home/milesdyson/backups/ directory and executed by root.

Knowing that the script in question is located in our home directory (milesdyson), let’s check if we can change it :

Unfortunately, we don’t have permission to either modify or delete the backup.sh file.

Let’s now check the content of the backup.sh file :

The backup.sh script firstly changes the directory to /var/www/html, then uses tar to compress the content of that directory into an archive called backup.tgz that it stores in /home/milesdyson/backups/ directory.

After performing some research, I came across this article that explains how to take advantage of the wildcard in the tar command using a technique called wildcard injection.

In order to successfully exploit this vulnerability, we’re going to proceed as follows :

1. Create a script to set the SUID bit to /bin/bash.

echo -e '#!/bin/bash\nchmod +s /bin/bash' > /var/www/html/root_shell.sh

2. Create these two files --checkpoint-action=exec=sh root_shell.sh and --checkpoint=1 . Here’s how to do that :

touch "/var/www/html/--checkpoint-action=exec=sh root_shell.sh"

touch "/var/www/html/--checkpoint=1"

--checkpoint-action=ACTION and --checkpoint[=Number] are two options available with the tar command.

• --checkpoint[=Number] : displays progress messages every Numberth record (default 10)
• --checkpoint-action=ACTION : executes ACTION on each checkpoint. In our case exec.
• exec=command : executes the specified command. In our case ‘sh root_shell.sh’

Therefore, when the cronjob will execute the next minute, it will take the two files we created above as options rather than normal filenames and set /bin/bash with setuid permission.

Here are the permissions related to /bin/bash binary before performing the wildcard injection attack :

As you can see, it has no SUID bit set.

Let’s execute the instructions listed above :

To check if our attack succeeded, we can simply check if the SUID was set to /bin/bash binary :

As you can see, it works.

Now, we can simply obtain a privileged shell by executing the following command : /bin/bash -p

Awesome! Let’s now retrieve the root.txt flag.

Root.txt flag

Cheers

After getting the keys of the kingdom, the pentest is not finished.

We need to provide our client some security measures to fix the detected vulnerabilities. This will help them enhancing their security posture.

Recommandations

• It’s best practice to disable anonymous login for SMB to reduce unauthorized access to critical files.
• Passwords should not be stored in plaintext files (log1.txt)
• It’s advised to not send sensitive information such passwords on email.
• Always make sure to update your softwares (Cuppa). This will prevent threat actors to exploit your softwares by using publicly known exploits.
• Although wildcard injection can be extremely dangerous, it is also pretty easy to avoid. Adding the full path of the directory in front of the wildcard is enough to mitigate the attack. This is exploitable : command * while this isn’t: command /path/to/some/folder/*

Wrapping Up

Skynet was a really fun machine to pwn.

Overall, we covered topics such as :

• SMB share enumeration with tools such as smbmap, smbclient
• Remote File Inclusion vulnerability
• Wildcard injection attack

With that said, I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.

References

https://squirrelmail.org/about/
https://www.hackingdna.com/2021/05/pentest-notes-how-to-use-smbmap.html
http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion
https://www.hackingdna.com/2021/05/pentest-notes-smb-recon-with-nmap.html
https://www.nopsec.com/blog/smbmap-wield-it-like-the-creator/
https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
https://systemweakness.com/privilege-escalation-using-wildcard-injection-tar-wildcard-injection-a57bc81df61c
https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/

Contact

GitHub : https://github.com/0liverFlow