Sigh…Hasta La Vista: THM: Skynet

The usual CTF-oriented nmap quick scan revealed quite a lot of open ports in the target machine:

• [ ] 22: SSH
• [ ] 80: HTTP webserver
• [ ] 110: pop3: Dovecot pop3d
  • POP3 mail server
• [ ] 139: Samba (3.X-4.X)
• [ ] 143: imap: Dovecot imapd
• [ ] 445: Samba 4.3.11

I started the full scan, just to be thorough enough, but we had enough data to get going

nmap -sV -sC -oN nmap.initial $IP
nmap -p- -oN nmap.full -T4 $IP

The webserver strangely looks like a search engine, and it does not produce any results to the random strings I tried.

Just from what we have already seen, we do not have any credentials or information about the users of this machine. Putting web analysis and enumeration on hold for Samba might be the right move to make:

I’m thinking of using smbclient and if that does not get us anywhere enum4linux to get some more information about the shares available

Smbclient does a pretty decent job:

smbclient -L $IP -U guest

Now it would be interesting to connect to any of those shares (except for print actually):

• [ ] anonymous might be the only one not password protected
• [ ] milesdyson might gives us some more information about the user
• [ ] IPC might have some interesting files for us (perhaps a path to gain initial foothold or privilege escalation later on)

• The given wordlist proved useless for ssh login
• Testing the wordlist on the mail entrypoint was a good choice : we got miles password

hydra -l milesdyson -P log1.txt $IP http-post-form "/squirrelmail/src/redirect.php: login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:incorrect"

Using the newly found password, we can try to see if there is any useful information in the user’s email account:

smbclient //$IP/milesdyson -U milesdyson

In this share there are some machine/deep learning related pdfs, a wide set of markdown notes on these topics (might be worth checking out :P), and a file titled important.txt. Sigh I mEaN wHeRe sHoUlD I gO nOw?

There seems to be a personal webpage at the new link we found out about. Again, enumeration is due:

• /administrator gets found by gobuster

gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -u http://$IP/45kra24zxs28v3yd -o gobuster.big

Visiting /administrator we get to a login page of CuppaCMS:

My first thought was to check the password we had found for the email, however, my lazy me thought: Too manual, check for exploits first. Apparently there is a readily available exploit in exploit-db: 25971.

Using the following payload, as described in the exploit we found, we see that there is:

1. LFI potential (we could maybe get a flag through that (?))
2. RFI potential (PHP injection) (a reverse shell might be nice as well)

http://skynet.thm/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

We can move to miles home directory and get the user flag, but there are some more interesting files there as well:

• share: the samba share that we have already checked
• backups.sh: i’m thinking that this will be the way to get access as another user: a crontab must be running and while the file itself is not readily exploitable by us (not writeable), we can manipulate its options