Sunday, December 9, 2018
SkyTower
SKYTOWER
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine SkyTower.
- SkyTower can be downloaded from here:
https://www.vulnhub.com/entry/skytower-1,96/
- Once downloaded SkyTower and extracted with VirtualBox:
2 - ENUMERATION
- Discovering SkyTower's IP:
- Scanning with Nmap it seems that there are 3 available ports:
- Let's notice port 22 for SSH is filtered, probably due to the presence of the HTTP-PROXY at port 3128.
3 - SQL INJECTION ATTACK
- Connecting to the web server we find a login form:
- Entering ' we discover that a MySQL is running and it is possibly vulnerable to SQL Injection attack:
- Entering an usual SQL Injection the answer is Login Failed, meaning that we are probably in the right track:
- Maybe OR is filtered? Let's remember that the boolean operator OR can be also written with ||
- The SQL injection is eventually successful:
- So, as a result of the SQLi attack we have some valid credentials for user john:
john:hereisjohn
- Let's try to take advantage of it.
4 - GETTING A REMOTE SHELL
4.1 - Proxytunnel
- To bypass the HTTP-PROXY running at port 3128 we can use a proxytunnel with these three options:
- Checking that the proxytunnel is enabled:
- Now, trying a remote shell with SSH, it works but the connection is closed:
4.2 - Running commands with SSH
- However SSH allows also to run commands remotely , like for instance cat /etc/passwd:
- By the way, let's notice the presence of these 3 users:
- Now, two different ways to achieve a remote shell would be the following:
a) Running the command /bin/sh and forcing a pseudo-terminal allocation with the -t option:
b) Using Netcat:
- Anyway, unfortunately user john has no sudo privileges:
4.3 - Exploring the database
- Looking for the login.php file:
- Reading login.php we find interesting information:
- Using credentials root:root to connect to the database SkyTech:
- Passwords for the 3 users john, sara and william are achieved in an easy way, just exploring the database:
- By the way, digging into login.php we can find the SQL injection filter:
5 - PRIVILEGE ESCALATION
- We are not allowed to use sara and william user accounts:
- However, SSH-ing for sara is successful:
- Not for william:
- Great news are that sara has got some sudoer privileges:
- Let's see how to take advantage of it.
- First of all, sara is not allowed to read directly from root's home folder:
- However, it happens that folders accounts and root are in the same root directory /:
- According to sara's sudoer privileges we can use ls and cat in an indirect way (Path Traversal) through /accounts to access /root:
- Listing:
- Reading flag.txt:
- Finally we have achieved the root password.
- Let's confirm that it is right: