Skytower 1

Posted on

Vulnhub virtual machine; OSCP prep box, classic linux box which began with some filtered SQLi and workarounds. The usage of proxychains came in to redirect our connection to target host. Escalation was interesting and getting a full shell even more so.

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risk/responsibilities.

VM Source: https://www.vulnhub.com/entry/skytower-1,96/

Discover VM on network:

1
netdiscover -r 192.168.56.0/24 ![](https://d2mxuefqeaa7sj.cloudfront.net/s_F4089EA76A292BC463ED8F95A06442DE4FF086D50E39F5DF6CBD9DBB862D55F3_1551977444292_image.png)

Target: 192.168.56.101

Enumeration

Nmap Scan:

1
nmap -sV -sC -oA nmap/skytower 192.168.56.10

Looks as if an SSH server, HTTP server, and a second HTTP server on a non standard port.

Investigating HTTP - port 80

source:

Login page with a PHP backend. Lets try for a SQL-i.

classic no go on first try.

second attempt

no go again.

third attempt

1
password: ' OR 1=1 --

returned a SQL response message. Leading to believe it is injectable.

SQL injection evasion technique (just incase OR is being filtered): evasion technique link:

1
2
username: ' *'
password: ' *'

Results in SSH credentials login/password information

1
2
username: john
password: hereisjohn

Investigate HTTP server - port 3128

source:

Stylesheet for Squid Error pages identified

squid/3.1.20 service identified on the main page.

Searchsploit for vulnerabilties:

nothing of immediate use.

Enter Proxychains

we will need to pivot via this other webserver as when we connect to the [email protected] connection immediately closes.

so we need to configure proxychains /etc/proxychains.conf add add http 192.168.56.101 3128

save and reattempt:

we successfully connect to the ssh server but again are kicked out. Lets call the /bin/sh/ during the connection to see if this aids to the stablity

1
proxychains ssh [email protected] '/bin/sh'

results in low level execution shell. We are now running locally through proxies on the box.

RCE

Looking around I discover a few other users:

might be worth checking them out as john has really limited privileges.

investigating the login.php

and it just show happens to have mysql hard-coded passwords

Login to MySQL

1
mysql -u root -p

username: root / password: root

1
show databases;


1
2
3
use SkyTech;
select * from login;
\q #prints to screen

we now have more credentials. Lets move to Sara

1
proxychains ssh [email protected] '/bin/sh'

check what sara can do sudo -l

we can cat as sudo we should take the shadow file.

not that easy without a full shell… lets append the information to another file

Moving to achieve a full tty - definitely a hard task but after some much research and discovering the .bashrc that was killing our connection with the exit was the issue. Next, we had to remove the bottom lines from .bashrc

bash.rc

1
2
3
echo
echo  "Funds have been withdrawn"
exit

since nano and other editors were out the window.

1
head -n -3 .bashrc > .bashrc

did the trick! Now I could login with an actual prompt.

well lets cat the flag

1
sudo /bin/cat /accounts/../root/flag.txt

Bring me the root!

-exec