SKYTOWER
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSEMcqxD7KLicH_7OIpi-3V7LDdAQJpdX5ox-Jk_yXGIQ3GDSoO4MNZ4xJbj3E5HmoetT038gguTud_bzpiKcgVrU2dUB395xPFDJl2RLhTxUZ3VP_DEocFwUAi7I-YRZX5R865hrXi4nx/s640/screenshot.41.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine SkyTower.
- SkyTower can be downloaded from here:
https://www.vulnhub.com/entry/skytower-1,96/
- Once downloaded SkyTower and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyTXpnPFbJ1hFs0lIqipM3W_54mG5SCzGgtS6pL_4qiuEmIp2nlxdE3LJZs2jBCb7r2SoJ5nwjFNAHYmqs4N8fPglepRdn8RrUBaND4Rzab1qI6vh5tFx8XaE4r9CwRAvD0Vr9jBrxvo0V/s1600/screenshot.2.jpg)
2 - ENUMERATION
- Discovering SkyTower's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT7_4ooawBezRl29dhI0CNdP0lxI7waI6bZxtG6e1VzJn0NPu5gsbOofuTodX3sVSq52ii7pR0yOyXZXwH3F3jZnLm5t7KTbXizzyoaPx_UqWQHXsUVwLYl5a3wLEX8fydCsXu2r5tUg2g/s1600/screenshot.3.jpg)
- Scanning with Nmap it seems that there are 3 available ports:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihdZ_IF9RIsy9y8SV6zAW8rnvcGRvYroHwEHtih5Jy2zq6BJEkWWIvpcjDIwtePxJK3kwhwu4KKe-fff1PczJpBqlzSTFY_KKhDXczt8l8pxp_KnH3mHDi_WAiC_oHmYvYMzgkf-cglGpl/s1600/screenshot.4.jpg)
- Let's notice port 22 for SSH is filtered, probably due to the presence of the HTTP-PROXY at port 3128.
3 - SQL INJECTION ATTACK
- Connecting to the web server we find a login form:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimN_zHwmKvIgHYgptmaGBh5q3PuD9sbQb6MRKS6WZnEHfwXOTjZt97SpHZnCwUS2zi222rXi5eJ2jWAg3_EkdQa8afksfz27fQGo3qs55LBD4RAV-pjCxJztRD65Fyk-NF2Ycp3OetHiOZ/s1600/screenshot.6.jpg)
- Entering ' we discover that a MySQL is running and it is possibly vulnerable to SQL Injection attack:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0mhhFA-b6qfe3iGHqA5roCUKs3iJ2m-BdP7aK-PqPcbdYTENxgOSUqihlKOZlWn9UuAn93OghUctRbzwKC39YAY0Nz2cO0qxhXLOtV39z1tlL_xAmFswNZ9B8Cz35DxYmre8da0Q05bAG/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJVUElXcG4M3umMMJaQDt9iAr1wHXJa22_pVkmQjSYcDftc13EXPPcAfSUcvZEYAk-T6I5hAnfcYM_5GtvWHfA_1N6riAyzfuWyxJtAbuTiXPAnscBTCg5Eq-VX7jDsywrBwDXErm_O85s/s1600/screenshot.10.jpg)
- Entering an usual SQL Injection the answer is Login Failed, meaning that we are probably in the right track:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy0TMUh-ROd0b7qKZvKZqv4cKlPwX4Duw2W-CII2PC21eQMdn7vDYQ_cVxPBI6zRlX9RrFmtr2NMLvrDtGiqYZXjnouabC6vcqomN2WdN5VpxEoDPjNMmqNkg-8repnBJG5vgmiTVyL_GI/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJIJoD3PfSPV-Y82Hme38_dMz9PmamcIjnrW6wxMFUGiCEYSefA0LyhdMJTo901Qdqs6dTrBzUYR7glAhQpAQhR7eX7ySs6sMcHWp5-vKetccUpiLnuzwzNDHUvuWL_WKatobV4Q7Ud8we/s1600/screenshot.12.jpg)
- Maybe OR is filtered? Let's remember that the boolean operator OR can be also written with ||
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNgFdXiFh75ZIrQ-oOu4FMZJpG_jN2Ed9oewSz2oGpNgEY4XsiM5-gUYLegwo1VTc9ou7-xX1XzFHqPgafnlJE45YGiVUTi02G5HWvCq1668bfXog0SJq19sa37ljf14Z0EkOma_daTsdy/s1600/screenshot.51.jpg)
- The SQL injection is eventually successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhek6zn-nE5a07VUTu312e06sLSXheGHN6CNpFjLdAe8n-iAt0KCh6BabYxKLZMkQLi6r2pxHxtOdqtmdqprA8PpYgSzG6hbAAK9Ebg3SBLsD2CjTyzVjU44gBLCfz2M6FIkJd5TRwe_gJo/s640/screenshot.14.jpg)
- So, as a result of the SQLi attack we have some valid credentials for user john:
john:hereisjohn
- Let's try to take advantage of it.
4 - GETTING A REMOTE SHELL
4.1 - Proxytunnel
- To bypass the HTTP-PROXY running at port 3128 we can use a proxytunnel with these three options:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUCk8zeJdew0cIZBUxpUe0WG_yZLHLi_0FObnPaIg0oIWrQ3t-gk4m9w936uWqZx2I1ChUUmAfs-YLKzUvFyWVK2-sXVPGuF-jekC8rQl9C_wYtgQacKD6mTUl7O55f-gwBy6FJhjjV14I/s1600/screenshot.42.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw0UZwL8oGOOXfVpoSZaUvxHbAkFihHWDJfsTft8OyUbk2iEGsIihOoSkbdcBqjnzpaqbXX1NaXuJigKlAzeg_VKBwCQM5s82HGoibTb_TqWnQdo-eYabU_WukdZS6Nkj89w852MFG5EFJ/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgJOExu1djY88NzT-1Ho6dnkvgVi192sjts6sBxH9qjuTPF40WTh1rwIvEHhGnbIElV7V2Lwdz8HCUskKeN1bGDH0iYHyWywvGGIIlRVPIohZehsWwHMd-qBp012zlt69sPRjhQSxlvVlB/s1600/screenshot.44.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCgXgyxtiOX24_0KuOQMSWGNLjl7hmQ308DuR2gA7gdzyrOuU-DpE6pBEUjww_SwJoys5Aw20x3bZAXlGMpKSsIZldhnE1okJIUCBrrmDhUc9MY6oU62nwI-rltst3OJ2_pxEuI4xzWXIf/s1600/screenshot.15.jpg)
- Checking that the proxytunnel is enabled:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5mDjzdhtd3NjdW_z9mDa_4HwhQGHcc9ST9NbiTBaW_dY4GieD8qtCtJJKL2_zUtDYFdo1fwXjKzeHUqnKZNlt7_j4PB_7LY-BMMLgPxmthk0wbWuVlepb8Sw_16Q7cDjtfnDOSpruJ4L6/s1600/screenshot.17.jpg)
- Now, trying a remote shell with SSH, it works but the connection is closed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4641YQfrlO5NZ0OqnZNiHImYf9JMdIahQYCOoHSdUXlYNxm9FpWnZvQafgBcTlFt6zXcOm3AVUt0fNXKQevwoATNdQ_qR7lA47GfPFRCAi-GUtZyr4vY7yv9Z4xyxbQ70RXnYvmjBQMZE/s1600/screenshot.18.jpg)
4.2 - Running commands with SSH
- However SSH allows also to run commands remotely , like for instance cat /etc/passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6HzrlvlPLVJzrbr4SfH0kiAmq0ZFVp1jYYOAXW1C2VvNs71Dkm_zgqJiiF8JNS895iNPCxnKUyBoA5MwvpPKB_cWdRo8YYJ4KlUyau8lQtDG2_J-K142ZaETsqSVAeRSt2Iv3auEpEFyA/s1600/screenshot.19.jpg)
- By the way, let's notice the presence of these 3 users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkX_SnC8VPDI5hU5VoA5qV1vXuhM68IpoxmBYbGmybNCRPvzBpnLXSt1u8hppcBqwA2aJTi2FRMxypM7ARxpSYh47R8U0V3qx391j7eel5GCKIU6d4znqIOjTr7CL62k8dlWCE2ZRfuht1/s1600/screenshot.20.jpg)
- Now, two different ways to achieve a remote shell would be the following:
a) Running the command /bin/sh and forcing a pseudo-terminal allocation with the -t option:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdMsto3tMQrY6cYuy4sVgyEKgEzKAPe8MFfWbKSZTquottJ0ePsMaKCnoyT6s9cg5TAsJ9uyByJTvJUCleMi2q_nhU85XLmYey92r4abbzBOKrC9h3jnE2_UwqWIc7XaOzjZuN1ivoFdMG/s640/screenshot.45.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixlhuobpaYD-jeD-HPlEKPQnkugw0NbJq2GZJGbmCq5TmOj5SU8HE9rK_QzBa3j1z4GO1fD9bvh_B_NU5WORdbW777f36QMUa7mMCsAr6TCjC5oAoAVYpSVEHLnT9ILo23xtOMVnk6zc2_/s1600/screenshot.50.jpg)
b) Using Netcat:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIk0qD7i3dQYsdX8LAK5FRIEjhurqj0sGkFqgham8A7j2rGsXZ44RSbBqBOLC4oZiKA5YBgErEba7f5MZqSWaWLIjnoVedSGMydTXE32LlSloL1oIlj2O0tS3P0YOOyBKpN4dcWLM6UJj0/s1600/screenshot.46.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUVCjX1rCGoi7sO7rLc7UDN5y7xCBLBo-ocXQPY6fTrqZlhZD-ECewNV9jkyanLU8P34mtfSRBtHM9K80Gc4tchrGKscavmQDrwXMtEeUekF6GUM0iHouJPQsF9-ECGr5Vn400XxiQXfg0/s1600/screenshot.47.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLH-ond3RTxchvDdhxz4t1bIBNpiFjbikiAuWzKGS9Md7XajFla39y0K-6o4-qX-6F1AlAOjbL3y2cpabkQ6CLZYtjNmykrwKISgBUTYdiPDrAospHlmT5AOzut8ReM2HOh8kHA5x7qM34/s1600/screenshot.49.jpg)
- Anyway, unfortunately user john has no sudo privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2lbqcBG2UpC52uHZ8RzkILKGzHMge4ntr06iQ9dp4SeKPFXp5LhEbJO86ip-zarRpk7x2ZZXXu6A8f62zpE0gDTwCZsmGZz-DkQveEm53-yGDnkzf1pDVraQ5FPgBY6dRK4ECGfp5muoo/s1600/screenshot.29.jpg)
4.3 - Exploring the database
- Looking for the login.php file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU_oshkFYPVxMyo0te2utlfrAhSk__KQuaCe9I-wWSZUzt-MYu7mCOhYtentnN4oI1pcOVSz6M-OUtt_Eb4jGhS4LIoj-5xYfpE6KYIbqQ7KIlUPlaVNG2u2FMwQsMab3-HhFidWGyAfGE/s1600/screenshot.22.jpg)
- Reading login.php we find interesting information:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNVjbQr3ocwb74KhGmv46soseT-ZcSfwfgVyJVNA3U-Yc-ik5RDxYFodxRNHRFtp-7-p-vd_VHP10KwuEQg1QxN1jg-SMkorgqDQtm17E9eLWjXA3dCKvXxfyA3BkFRXhDYnhHB4Hy2NVA/s1600/screenshot.23.jpg)
- Using credentials root:root to connect to the database SkyTech:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8hxvDXStC0TIW3FvjYe2AgQl0mN9I7IoUpgoWVQ0hrYoJsqpsWGdG3JwJCtQXsri88tv75o0Dp7s1Rib3uXR_kbMHjckpekHVJa82CTPox_8XgFHjKunUYOuByVq3CeiNqxdHUBficfL/s1600/screenshot.24.jpg)
- Passwords for the 3 users john, sara and william are achieved in an easy way, just exploring the database:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv_wDE3mYzshldsHzBCrASvSf1J0fIU6eEA7MkysOqADKlvzfGmpkCQtisSSkqF2L9Mk8WXbDv8XFGFGBGV2jvhLPh6BvhHkGjxpZeDE2rgh8wcgTt2j_9WmdBBBXIihF9-lJz2IkwuDVy/s1600/screenshot.25.jpg)
- By the way, digging into login.php we can find the SQL injection filter:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBmsN51wcx-xq0uGjZbfW5G4i54tgqewN1OoVdPK7VknTk6HbmnY4Wn2HvPyKhffpJ0FLWzsnSVBHTYL819Ye962cDCsOAXC4psfC3ZKxn6OySZaDi0PMIxT92m_MFo7B-HhxprsxnEpo6/s1600/screenshot.52.jpg)
5 - PRIVILEGE ESCALATION
- We are not allowed to use sara and william user accounts:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6W1ZSpANAy7zuq2FH-6Jc6xU48nL1S0JwiP8iVocB3RmjZsbrAz7VjYvH1NTxlEYv102aVOd_VgxSrE7j_vCFZXkLiNKo8c1sEwTX6k9yI7R4PnwDYcUfBaJ95DLkalVB5IL-B_dW_In0/s400/screenshot.27.jpg)
- However, SSH-ing for sara is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4nLx_7QDIIq1k_H3jYoaRXUcKAIlvbhLJPVOuiRFc_rrNxxfsy2FI_JaSOSEWLOphheOK-oDcdeIZlYljbTUoJTnh0FUxG84jxHDFaB4uic6Q2tTv8Xnu3ACpdeaApW9qB3qx_PleWWJZ/s1600/screenshot.28.jpg)
- Not for william:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8iyJubMXoOKsUYqMSFN7g19j0b8rXsgReWkEdqNaRh05uOlosTuiFr2SS31W1IwbuKlTKV-fQBalOJLYHRRYxOsZC4o4g4bV4YQLHAZQwx3zTqRGg8l77AkojnzkotmzACeMVIKwMrfah/s1600/screenshot.32.jpg)
- Great news are that sara has got some sudoer privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxLENKGJYywaIMVkunjrlbaHMVJcSv7olwqzgnHWrqvfv2OoYPeg2JaAlwcYqvRzx0THAsd2iTxHwwc6AS-j4_nmZ9SdcMcrV4OUTsZmLaGXnIPF_PqcEl4lju1wthqbdAOQwjESXTsCcr/s1600/screenshot.31.jpg)
- Let's see how to take advantage of it.
- First of all, sara is not allowed to read directly from root's home folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8RTdYFSALPmrWrDAwLgiHo0CwlJ6ZLIniWZtdLeOd9r1xSbziH6TtM4Ylv_FH58xrpqZWNOBYzhyTJF4oXiv0hJDNmjLDuFpPGJWxEy__u529NABGrCtNq029IaGkyxCLGuHYV7Xyozvx/s1600/screenshot.37.jpg)
- However, it happens that folders accounts and root are in the same root directory /:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN-R-21bAaU6fzd6F7d4zLh5VcAgP4izn-R8vHOjSOYDuw3bQ0FVGDRUpF6S6_1_6FWFGlx-hlkBYQWTkHMFXib2fDByqh7zMfLHkTYsSJOhdwT4_MpjyZEc1VnoNZl9D3udBOK-lj_8Bk/s1600/screenshot.33.jpg)
- According to sara's sudoer privileges we can use ls and cat in an indirect way (Path Traversal) through /accounts to access /root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiqa2aXys6EzNwldhWpd7MoihvWi9boT1nDINcO1MXyhYow99HXerfLjfZtIw3zhpOr6hg_wJIEVhRZHvjMmHqGuWjxWQPgymh5jOIGS3BnDvHL87PkFFh303809TaWijVtGOU4pWioUn5/s1600/screenshot.35.jpg)
- Listing:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipCt3ucWmWbtstFm8UvXOEDlQCYShMvjXmZWIqwfNMXYrWMAmzmH6CzCvamZtr4DijZYuVJt0TY07JO_NzcUyipekonDf5Vwzpb_wehydRlPAT6sKJ2h5yOKCfhykl8LuT_xeMCxy-oSoq/s400/screenshot.38.jpg)
- Reading flag.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQIZpFrsMn-b7FuBXvw10hllkAulqdh6QNhJjjI4E-LJ9oYoRr4PJx_lHa8xfa5nPcB4fRK1NMnpZBblLJz-9uMDV4mV5DlMcB1wPMfkAk6oBTQ5IrgN5DtUKyUk_9wkh3KcWNuVmKNfGT/s1600/screenshot.39.jpg)
- Finally we have achieved the root password.
- Let's confirm that it is right:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI3VWlFiG7Pbd-9SJ8_UYhRvHwAaaJH6WRuiuukaom6QDbs6Z5j0tAiUdQXLnBjXcwFcpFDZfhD3MCduhO2ob8NqhHsSiAFDlsrm6FtkfOR4xgRJLr6g9uxpuz7dpPfdiffRZZ9zmOJs1A/s1600/screenshot.40.jpg)