Loading...

THM - Skynet

Created2025-05-29|Updated2025-07-15|writeups

|Post Views:

Enumeration

Enumeration of open ports using nmap :

Looking at the smb share, we see that it is possible to connect to the share using the guest account :

A log1.txt file is then retrieved from the anonymous share, which appears to contain passwords:

Listing the web server folders with dirb, we come across a mail server connection page:

Mail server access

Using hydra and the log1.txt file, we find the password for the milesdyson account (name found when enumerating smb shares).

This gives us access to milesdyson’s mailbox:

A quick search of the mailbox reveals the password for milesdyson’s smb account.

This allows us to access his shared folder and retrieve the file important.txt, which contains a directory name to access his new site.

Cuppa RCE

Enumerating again with dirb, we find the adminstration console:

We then learn that the CMS used is Cuppa. A quick search on the Internet reveals a flaw in this CMS, allowing RFI via the /alertConfig.php file.

This vulnerability allows us to create a reverse shell and obtain the user flag:

Escalation of privileges

To become root, all you have to do is notice that a backup.sh script is executed every minute with root rights:

This script appears to be backing up the website using the tar binary :

As we have write access to the /var/www/html folder, we can create 2 files: /var/www/html/-checkpoint=1 and /var/www/html/-checkpoint-action=exec=bash shell.sh

As the names of these files are valid tar commands, the binary will execute them, enabling us to execute our shell.sh file and obtain and reverse shell as root.

Related Articles

We start by enumerating the open ports with an nmap : We notice that the certificate used for https contains several domain names, so we add them to the /etc/hosts file to access them: Most of the domains are useless, but accessing the domain netops-dev.dodge.thm using https will bring up a blank page: By analyzing the source code, we discover a php file that allows us to modify the firewall configuration: By entering the sudo ufw disable command, we can disable the firewall rul...

This challenge simulates a scenario where you have to compromise an Active Directory environment.Scan nmap : In view of the open ports, we’re probably dealing with an Active Directory environment. We can try to obtain information using a few important ports: Port 53 (DNS) :The nmap scan provides us with FQDNs (Fully Qualified Domain Names) such as haystack.thm.corp. We can then ask DNS to provide us with all DNS records linked to the thm.corp domain. This can be done with the dig utility (di...

We start with an nmap scan We can see that the open ports correspond to those of a Windows machine, which is confirmed by visiting the web site on port 80: We start by trying to enumerate smb shares with the guest account: Note that you have read and write rights on a share. Using impacket-smbclient, we discover a password.txt file containing base64 : By decoding it with CyberChef, we obtain Bob’s and Bill’s identifiers: After trying to use these accounts to access other parts of the serve...

We start with an nmap scan: The robots.txt file reveals 3 directories. Only one of them is accessible:You can now create an account and the initial password will be md5(username+ddmm)So we create a test account with a date of birth of 00/00/0000. We can then calculate the requested hash with the following bash command:Use -n to avoid line breaks. You can then connect to the test account with this password:We can see that the admin account has recently logged in, and we can also see ...

THM - BOF - Task8

Step 1: Find the offsetThe first step is to find the offset that will allow us to replace the return address. To do this, there are 2 methods: Manual method:We can see in the source code that the buffer is 140 bytes long, but between the end of this buffer and the return address there are possible fill bytes (memory alignment) and the rbp register (base pointer), which is 8 bytes long on a 64-bit architecture.So, to overwrite the return address, you’ll need at least 148 bytes. To find out the...

THM - U.A High School

Machine presentation Level: Easy Link: https://tryhackme.com/r/room/yueiua Tools nmap fuzz dirb hexeditor steghide openssl EnumerationWe start with a simple nmap scan: 2 ports are open, the ssh port and the http port.Using dirb, we discover an index.php file in an assets directory, which is unusual: We then try to verify the existence or otherwise of an input parameter to this php file using FUZZ with this command : 1ffuf -u 'http://10.10.85.246/assets/index.php?FUZZ=whoami' -...

Loading Database