Sunday, December 9, 2018



- Layout for this exercise:


The goal of this exercise is to develop a hacking process for the vulnerable machine SkyTower.

SkyTower can be downloaded from here:,96/

- Once downloaded SkyTower and extracted with VirtualBox:


- Discovering SkyTower's IP:

- Scanning with Nmap it seems that there are 3 available ports:

- Let's notice port 22 for SSH is filtered, probably due to the presence of the HTTP-PROXY at port 3128.


- Connecting to the web server we find a login form:

- Entering ' we discover that a MySQL is running and it is possibly vulnerable to SQL Injection attack:

- Entering an usual SQL Injection the answer is Login Failed, meaning that we are probably in the right track:

- Maybe OR is filtered? Let's remember that the boolean operator OR can be also written with ||

- The SQL injection is eventually successful:

- So, as a result of the SQLi attack we have some valid credentials for user john:


- Let's try to take advantage of it.


4.1 - Proxytunnel

- To bypass the HTTP-PROXY running at port 3128 we can use a proxytunnel  with these three options:

- Checking that the proxytunnel is enabled:

- Now, trying a remote shell with SSH, it works but the connection is closed:

4.2 - Running commands with SSH

- However SSH allows also to run commands remotely , like for instance cat /etc/passwd:

- By the way, let's notice the presence of these 3 users:

- Now, two different ways to achieve a remote shell would be the following:

a) Running the command /bin/sh and forcing a pseudo-terminal allocation with the -t option:

b) Using Netcat:

- Anyway, unfortunately user john has no sudo privileges:

4.3 - Exploring the database

- Looking for the login.php file:

- Reading login.php we find interesting information:

- Using credentials root:root to connect to the database SkyTech:

- Passwords for the 3 users john, sara and william are achieved in an easy way, just exploring the database:

- By the way, digging into login.php we can find the SQL injection filter:


- We are not allowed to use sara and william user accounts:

- However, SSH-ing for sara is successful:

- Not for william:

- Great news are that sara has got some sudoer privileges:

- Let's see how to take advantage of it. 

- First of all, sara is not allowed to read directly from root's home folder:

- However, it happens that folders accounts and root are in the same root directory /:

- According to sara's sudoer privileges we can use ls and cat in an indirect way (Path Traversal) through /accounts to access /root:

- Listing:

- Reading flag.txt:

- Finally we have achieved the root password. 

- Let's confirm that it is right: