Skynet Walkthrough - Offensive Pentesting

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap -Pn 10.10.88.15

22/tcp  open  ssh         syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                               
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) 
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+bo
z3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SC
pk2YSrj4A7                                    
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
|   256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp  open  http        syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:        
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet                                                                         
110/tcp open  pop3        syn-ack ttl 63 Dovecot pop3d
|_pop3-capabilities: TOP UIDL SASL AUTH-RESP-CODE RESP-CODES PIPELINING CAPA
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        syn-ack ttl 63 Dovecot imapd
|_imap-capabilities: OK Pre-login more ID LITERAL+ IDLE have capabilities SASL-IR post-login listed LOGIN-REFERRALS LOGINDISABLEDA0001 ENABLE IMAP4rev1
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumerating Port 80

If we navigate to URL:80 we’ll get a search engine.

image

Let’s run gobuster to find some hidden directories or files.

Gobuster

gobuster -w $COMMON -u http://10.10.88.15

Gobuster found /admin and /squirrelmail directory.

/admin

image

/squirrelmail

image

We don’t yet have SquirrelMail credentials let’s move forward with SMB enumeration and come back.

Enumerating SMB

We can do our initial scan of SMB shares with Nmap.

Nmap

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.88.15

SMBClient

smbclient -L //10.10.88.15 -N

We have two shares anonymous and milesdyson which we’re gonna focus for right now and look for some interesting files inside.

[email protected]:/home/m4sterph0enix/Desktop/hackme/Skynet# smbclient //10.10.88.15/anonymous -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Sep 18 09:41:20 2019
  ..                                  D        0  Tue Sep 17 12:20:17 2019
  attention.txt                       N      163  Wed Sep 18 08:04:59 2019
  logs                                D        0  Wed Sep 18 09:42:16 2019
  books                               D        0  Wed Sep 18 09:40:06 2019

                9204224 blocks of size 1024. 5373516 blocks available
smb: \> get attention.txt 
getting file \attention.txt of size 163 as attention.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> dir
  .                                   D        0  Wed Sep 18 09:42:16 2019
  ..                                  D        0  Wed Sep 18 09:41:20 2019
  log2.txt                            N        0  Wed Sep 18 09:42:13 2019
  log1.txt                            N      471  Wed Sep 18 09:41:59 2019
  log3.txt                            N        0  Wed Sep 18 09:42:16 2019

                9204224 blocks of size 1024. 5373516 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.5 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \logs\> 

We have downloaded two files attention.txt and log1.txt let’s take a look at those.

attention.txt

A recent system malfunction has caused various passwords to be changed. All Skynet employees are required to change their password after seeing this.
-Miles Dyson

log1.txt

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
[email protected]#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

As attention.txt hints towards malfunction and passwords changed. Our credentials for SquirrelMail are inside log1.txt let’s brute force it.

BurpSuite

Start intercepting and send SquirrelMail requests to the intruder to brute force login.

We have a list of passwords inside log1.txt but don’t know the username but if you look at attention.txt there’s a user ‘Miles Dyson’ let’s include that for now!

username: milesdyson
password: cyborg007haloterminator

Let’s login at SquirrelMail.

And we are greeted with three emails one of which we’re looking for "Samba Password Reset"

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

Looks like we found SMB user credential to access ‘milesdyson’ share.

Inside notes there’s an important.txt file which we’re gonna download.

Let’s take a look inside important.txt

This seems /45kra24zxs28v3yd like a directory let’s check it.

This is what we got!

Let’s do directory enumeration.

GoBuster

gobuster -w $COMMON -u http://10.10.17.161/45kra24zxs28v3yd/ -t 50

There’s an /administrator directory let’s check it out.

image

There’s cuppa CMS installed let’s search for exploits.

Searchsploit

There’s Local/Remote File Inclusion exploit available for Cuppa CMS.

Testing The Exploit

Let’s upload our payload and get a reverse shell.

Exploitation

Remote File Inclusion

User.txt

User flag located inside /home/milesdyson/user.txt

Privilege Escalation

Now we’re in the machine let’s enumerate further to escalate privileges.

Method #1

Linux kernal 4.8.0-58 is exploitable.

Linux version 4.8.0-58-generic

Compile and run the exploit.

And we got root!

2 Likes