Vulnhub virtual machine; OSCP prep box, classic linux box which began with some filtered SQLi and workarounds. The usage of proxychains came in to redirect our connection to target host. Escalation was interesting and getting a full shell even more so.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risk/responsibilities.
VM Source: https://www.vulnhub.com/entry/skytower-1,96/
Discover VM on network:
Looks as if an SSH server, HTTP server, and a second HTTP server on a non standard port.
Investigating HTTP - port 80
Login page with a PHP backend. Lets try for a SQL-i.
classic no go on first try.
no go again.
returned a SQL response message. Leading to believe it is injectable.
SQL injection evasion technique (just incase
OR is being filtered):
evasion technique link:
Results in SSH credentials login/password information
Investigate HTTP server - port 3128
Stylesheet for Squid Error pages identified
squid/3.1.20 service identified on the main page.
Searchsploit for vulnerabilties:
nothing of immediate use.
we will need to pivot via this other webserver as when we connect to the [email protected] connection immediately closes.
so we need to configure proxychains
/etc/proxychains.conf add add
http 192.168.56.101 3128
save and reattempt:
we successfully connect to the ssh server but again are kicked out. Lets call the
/bin/sh/ during the connection to see if this aids to the stablity
results in low level execution shell. We are now running locally through proxies on the box.
Looking around I discover a few other users:
might be worth checking them out as john has really limited privileges.
and it just show happens to have mysql hard-coded passwords
Login to MySQL
username: root / password: root
we now have more credentials. Lets move to Sara
check what sara can do
cat as sudo we should take the shadow file.
not that easy without a full shell… lets append the information to another file
Moving to achieve a full tty - definitely a hard task but after some much research and discovering the
.bashrc that was killing our connection with the
exit was the issue. Next, we had to remove the bottom lines from
since nano and other editors were out the window.
did the trick! Now I could login with an actual prompt.
well lets cat the flag
Bring me the root!