SkyTower 1 | vulnhub | Walkthrough

July 27, 2020
Read
In this post I am going to show how to solve the SkyTower 1 from vulnhub. As the description says:

"This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you."


I have got the root shell in 3 steps:

1. Enumeration : Got open ports and running service

2. Exploitation : Using SQLi and database handling.

3. Privilege Escalation: One user have special access.


Enumeration:

(1) My target IP is: 10.0.2.27 . So at first I have tried Nmap scan.

$ nmap -sV -v 10.0.2.27


(2) Visiting the web, there is a login form. So I have started the Burp and tried to see what's happening.

Found that there is a filter which is filtering SQLi attempt.



(3) Now I have copied the "Request" into a text file and tried sqlmap.

$ sqlmap -r myRequest.txt -p email

Here -p  is specifying the parameter I want to attack.

However, Sqlmap failed to detect any injection payload.

(4) Maybe the application is filtering this : ' OR 1=1 # 

So I have modified this to ' || 1=1 # . Now it has worked correctly!


Exploitation:

(5) Using SQLi I have found Username: John and Password:hereisjohn

(6) I have found a buffer overflow vulnerability for squid proxy. (CVE link) But I have to write custom exploit that's why I thought about another way.

(7) From Nmap scan, it shows that port 22 (ssh) will filter my request. What if I try to use a proxy and forward the request to squid proxy?

# proxytunnel -p 10.0.2.27:3128 -d 127.0.0.1:22 -a 4444

(8) In a new terminal tab, I have tried to connect and succeeded.



(9) Something wrong. My connection closed. I have tried to execute bash and list all file. I have found .bashrc so I removed that for a stable connection.


.bashrc is a shell script and it initializes an interactive shell session. More about .bashrc

(10) Now I can ssh again and get a stable shell.

Privilege Escalation :

 (11) I need to enumerate more. So I decided to check the web folder. And login.php reveals some good info about mysql database.

(12) I can now check the mysql info. Command I have used:

            $ mysql -uroot -proot

            $ show databases;

            $ show SkyTech;

            $ use SkyTech;

            $ show tables;

            $ select * from login;

After enumerating the database, I have found email and password for other users. And this is awesome!

+----+---------------------+--------------+
| id | email               | password     |
+----+---------------------+--------------+
|  1 | john@skytech.com    | hereisjohn   |
|  2 | sara@skytech.com    | ihatethisjob |
|  3 | william@skytech.com | senseable    |
+----+---------------------+--------------+

(13) Now I have tried to login as sara. But the same .bashrc problem happened. So I have removed it first then started to enumerate again.


(14) I have searched for the root level access and listed it.
            $ sudo -l

It shows that sara has access to  /bin/cat /accounts/* and /bin/ls /accounts/* . So I can list and can read using cat command.

(15) After running ls I have found flag.txt there and read that.


(16) Now I can easily get the root shell.


Thanks for reading. Hope you will enjoy this CTF.
Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Created By Themexpose