Sunday, December 9, 2018

SkyTower


SKYTOWER

- Layout for this exercise:




1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine SkyTower.

SkyTower can be downloaded from here:

https://www.vulnhub.com/entry/skytower-1,96/

- Once downloaded SkyTower and extracted with VirtualBox:





2 - ENUMERATION

- Discovering SkyTower's IP:





- Scanning with Nmap it seems that there are 3 available ports:




- Let's notice port 22 for SSH is filtered, probably due to the presence of the HTTP-PROXY at port 3128.


3 - SQL INJECTION ATTACK

- Connecting to the web server we find a login form:



- Entering ' we discover that a MySQL is running and it is possibly vulnerable to SQL Injection attack:







- Entering an usual SQL Injection the answer is Login Failed, meaning that we are probably in the right track:







- Maybe OR is filtered? Let's remember that the boolean operator OR can be also written with ||




- The SQL injection is eventually successful:



- So, as a result of the SQLi attack we have some valid credentials for user john:

john:hereisjohn

- Let's try to take advantage of it.


4 - GETTING A REMOTE SHELL

4.1 - Proxytunnel

- To bypass the HTTP-PROXY running at port 3128 we can use a proxytunnel  with these three options:








- Checking that the proxytunnel is enabled:




- Now, trying a remote shell with SSH, it works but the connection is closed:





4.2 - Running commands with SSH

- However SSH allows also to run commands remotely , like for instance cat /etc/passwd:




- By the way, let's notice the presence of these 3 users:






- Now, two different ways to achieve a remote shell would be the following:

a) Running the command /bin/sh and forcing a pseudo-terminal allocation with the -t option:






b) Using Netcat:








- Anyway, unfortunately user john has no sudo privileges:




4.3 - Exploring the database

- Looking for the login.php file:



- Reading login.php we find interesting information:



- Using credentials root:root to connect to the database SkyTech:




- Passwords for the 3 users john, sara and william are achieved in an easy way, just exploring the database:




- By the way, digging into login.php we can find the SQL injection filter:





5 - PRIVILEGE ESCALATION


- We are not allowed to use sara and william user accounts:



- However, SSH-ing for sara is successful:




- Not for william:




- Great news are that sara has got some sudoer privileges:




- Let's see how to take advantage of it. 

- First of all, sara is not allowed to read directly from root's home folder:




- However, it happens that folders accounts and root are in the same root directory /:




- According to sara's sudoer privileges we can use ls and cat in an indirect way (Path Traversal) through /accounts to access /root:




- Listing:




- Reading flag.txt:




- Finally we have achieved the root password. 

- Let's confirm that it is right: