SkyTower
SkyTower
Setup
Attacker(kali):192.168.146.128
VulnHub Link:https://www.vulnhub.com/entry/skytower-1,96/
VM Network:NAT
Enumeration
Host Enumeration
Use the arp-scan to find the vm's IP address: sudo arp-scan -l
Get the BOX's IP :192.168.146.136
Port Enumeration
Port enumeration with nmap: nmap -T4 -sV -sC -oN nmap.txt 192.168.146.136
Nmap scan report for 192.168.146.136
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.20
according to the scan result, i got some infomation below:
22 ssh is filtered
80 http is a website here
3128 is a http-proxy port
HTTP Enumeration
Use dirsearch
to perform a directory enumeration:
dirsearch -u http://192.168.146.136 -x 400-599 -t 100 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
nothing special here, check the website in browser, first is the port 80:
it's a login page, i could burte password or test sqli then.
Foothold
test the port 80 with password-brute and sqli, then i got a sqli here, and it came out with the ssh username and password.
sqli payload: a'oorr 1=1#
the user info:
Username: john
Password: hereisjohn
But in the previous port scan results I mentioned that port 22 is filtered, so I can't make a ssh connection directly.
oh, did I forget that there is also a proxy port 3128? Just configure the proxychains with it so that I can get in touch with the SSH port 22 through the proxy.
add it to the proxychains4.conf
:
ssh the target with proxychains:
It worked! Now i've got a foothold.
Privilege Escalation
Since the web page was using MySQL, I went to the /var/www/ path to check if there was anything useful, like the MySQL password.
Easily, i got the MySQL userinfo root:root
:
Authenticating into MySQL:
Listing the available databases, selecting SkyTech, listing tables and finding some clear-text passwords:
The userinfo i got:
john:hereisjohn
sara:ihatethisjob
william:senseable
Login the ssh with those accounts, i've got the john access, so just test the sara and william account, then i found the sara could login successful:
(the william login failed)
Check the sara's sudo -l
:
It appears that the sara user can execute the cat
command against all files in the /accounts
directory.
But there is a small problem, the path is /accounts/*
, since that *
i cloud use ../
to read all files. This could be used in a number of way to potentially achieved root-level access, then i got the root password in the /root/flag.txt
:
Got the root access successfully.
Key Learnings From this BOX
- During SQL injection, it is necessary to modify the injection statement based on the prompt message in order to successfully bypass it.
- After obtaining the SSH password, if it's discovered that direct connection to the SSH port is not possible, it is advisable to check if there are any proxy services available for utilization.
- After gaining shell access, if there are SQL data operations on the web side, remember to navigate to the web directory and examine the configuration files to find the database information.