VulnHub: SkyTower: 1

Initial foothold

  1. Network discovery

My target is 10.0.2.40.

2.Port scan

There’s 1 filtered port (22) and 2 open ports (80 and 3128).

3. OS and service scan

4. Vuln scan

There’s ‘login.php’ on the HTTP service.

Service Enumeration

There’re 3 services

  • 22/tcp filtered ssh
  1. Connect

When I tried to connect, it froze.

  • 80/tcp open http Apache httpd 2.2.22 ((Debian))
  1. Nikto scan

2. Directory scan w/ gobuster

3. Access HTTP site

View page source

4. SQL injection

Since It’s a login form. I will try SQL injection.

Intercept w/ Burp Suite

Send to the Repeater.

Starting w/ this input:

Use decoder to encode for URL

Copy to both email and password parameters. There’s am error mesasge

Take a closer look

There’re 2 problems that I’m facing:

  1. Filter

In my experience, error-based SQLi will show a message like this:

In this case, it’s a weird error message, ‘11’.
Because of this, I suspect that there’s a filter in the code.

2. comment

I supplied ’--’ as acomment to suppress the password field, but the error message still shows that there’s some handling w/ the password field. I need to change it.

To bypass the filter problem, I changed ‘or’ to ‘||’

Take a closer look at the error message, the filter problem should be gone for now.

I got a credential, john : hereisjohn.

  • 3128/tcp open http-proxy Squid http proxy 3.1.20

Access w/ browser. It’s a proxy service.

Exploitation

There’s only SSH service left and proxy service. I will try to use a proxy tunnel and access SSH via the created tunnel

  1. To create proxy tunnel, use this command:

2. Connect to SSH

I could connect, but the connection was cut immediately.

3. Working around SSH to get the shell

  • SSH shellshock
  • Just call /bin/bash

4. TTY shell

This machine doesn't have python.

Try for another one, echo.

My connection was cut again. I’m tired of this, so I have to work around.

My first suspicion is ‘.bashrc’.

There’s the ‘.bashrc’ file.

Edit it

I cannot edit it.

Read it

There’s an ‘exit’ command in the file.

Just remove it

Login again. This time, I don't have to call /bin/bash.

I’m good to go.

Privilege Escalation

  1. Verify users

There’re 3 users on this machine: john, sara, and william.

2. Explore directories

I explored as listed

Finally, I found the ‘login.php’ in /var/www/html. Here are the commands

I got MySQL credential

3. Verify sudo

John cannot run sudo command.

4. Access mysql

Verify version

Login to mysql

List database

There’s SkyTech.

Show tables in SkyTech

There’s login table.

Retrieve data

I got the other 2 users’ credentials, sara and william.

5. Login as sara

The connection was cut immediately like john’s shell.

Remove .bashrc

Login again

6. sara’s sudo

Verify sudo

This user can use /bin/cat /account/*/

Verify path

There’s /accounts directory.

Use wildcard to access /root

Now I got root password

Login as root