Thursday, August 08, 2019
Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No Metasploit
We have SSH filtered and a Squid HTTP proxy on port 3128, most probably the SSH is behind proxy, lets check it later. First the WebServer.
We have login page, so lets try common creds and sqli.
On Trying sqli the server give us an error but also telling us some characters are filtered. Trying multiple characters , the string worked. So user test@test and password .
We got login credentials for user john, lets try to use it in ssh.
First of all we need to access ssh through proxy, there are two ways,
One is by using proxytunnel
Second it by proxychains, by adding the below give in /etc/proxychains.conf
Our session got termed as soon as it was connected.
This give us a new bash shell upon connection, first thing to do
So that condition of immediate termination is removed.
Goto /var/www and there are mysql database credentials as root:root.
We can find this out by downloading LinEnum.sh script via wget and execute it.
Login into mysql by
Lets login as sara.
We checked sara’s privileges by
We have root credentials as root:theskytower.
Wednesday, August 07, 2019
We start with nmap and found only 2 ports open SSH and HTTP.
Do Enumeration of both services;
SSH is OpenSSH 5.9p1 , look for an exploit for it, there is no exploit found for this specific version.
Check HTTP service, with nikto , dirb and every tool you can think of until you find some lead.
Dirb give us /test
From here we are kind of lost, lets find out more about WebServer.
Checking http methods with nse script.
Further checking the OPTIONS Method.
We have PUT method possible , lets try it.
We will use post command to upload or create a file if the PUT method didn’t work.
Upon checking the /test URL we found our new page star.php. Lets get a shell.
Using multiple methods of reverse shell one by one. I found the python reverse shell working on port 8080. It failed on some ports seems only a few are allowed, I checked the ports by making a webserver on my machine and trying to access it by wget from the target, just to know if that port is open for communication.
We Got a shell of user ‘www-data’ with this command.
Looking for privilege escalation, tried multiple kernel exploits for 3.11 kernel but none worked.
Upon using a privilege escalation checker scripts, i found a cron job running chkrootkit as root. There is an local priv esc exploit for chkrootkit for version 0.49. We can check the version by typing command :
The version of chkrootkit is 0.49 in target. One more condition of this exploit is that the /tmp should be noexec and the priv esc script told us this already. So , the system is meeting all conditions, lets use the exploit.
As per the exploit we need to create a file named ‘update’ in /tmp. Put our malicious code in it , make it executable and wait for the cron job to execute it.
The code I write in update file is :
What this do is, since this will be run as root, so change the permission of sudoers file , then make the www-data user able to run all sudo commands, and then change the sudoers file back to the permissions it had.
After a while I checked the sudo permissions and our code was executed and we had all the sudo permissions.
Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No Metasploit Nmap: # Nmap 7.70 scan initiated Thu Aug 8 02:55:03 20...
Below are the commands , to Decode and Encoded text from Base64 and Rot13. It is a handy and easy technique required in CTFs. Alternative...
In Wordpress we can do a username enumeration in several ways. We can do it via Metasploit or Nmap NSE Script. But if both of these are not...
I found some new friends last month and we started playing CS 1.6 (Counter Strike) , i know its an old game with poor graphics but still the...