π{THM} Skynet
Last updated
Last updated
After finally manage to get 1-month subscriptions on TryHackMe and done Jr Penetration Testing Learning Path. Iβm back with another easy challenge from THM. Are you able to compromise this Terminator themed machine?
As usual, start with enumerate port and directory. After a while, we got the result.
We got bunch of open port and what got my eyes was port 445 (smb)
For directory, there no much interesting path except for squirrelmail.
Since port 445 is open, let see any available sharing file that might be useful.
From the information given, we known 2 file are available for sharing. Let see each of its.
Let download this file to our machine for further investigation.
Looks like warning notes or emails here.
Since it mentions about logs, it might be passwords for milesdyson.
Let put all this information to the login page and guess the password
We in into milesdyson email and we notice on samba password reset. Since early we cant get access to smb milesdyson, let use the given password and enumerate more.
We manage to get in and find something here. The notes folder seen interesting cause the only directory where others are files.
Bunch of study about AI, but somethings not right here, the pattern for file in this folder mostly start with number except for this file. Download the file and let continue from our machine.
Oh wow, we got secret CMS directory here, let enumerate the directory
After visiting the directory, it appear to have Cuppa CMS.
Further investigation about this CMS, it appear to have Local File Inclusion or Remote File Inclusion where it can read sensitive information.
Using the POC given, let test into the directory to see /etc/passwd
Let uploads reverse shell script and make it listen to our machine.
See our listener and we get user flag.
Since we are www-data, we cannot see sudo permission since we donβt ha eve the password. Let check the /etc/crontab and also /backup directory in milesdyson home
We can escalate root using wildcard injection. Let use basic command for wildcard injection from previous machine we done.
Open our listening ports and we in as root.
Thanks for reading, hope you guys enjoy it.
SMB enumeration with known user and password
Cuppa CMS
Wildcard Escalation
