The following article is a walkthrough for Skytower Vulnerable machine. This machine is a web application Capture the flag machine. This machine is filtered and an appropriate methodology is required here.
Objectives:
Obtain the flag.txt file from /root/
So let’s dive:
Tools:
- Virtual Machine or VMware
- Kali OS
I located the skytower vulnhub’s IP address with the help of nmap.
-> nmap 192.168.0.1/24
The IP for skytower is 192.168.0.105.
–> I then again used nmap to enumerate the services of the Skytower vulnerable machine. This is the result that I received:
So looking at the result, ssh is filtered means some firewall is there. There is a web server running on port 80 and a squid proxy on 3128.
–> I browsed to 192.168.0.105 and checked out their site.
Nikto isn’t much help here.
–> I checked the source what there isn’t any. No Robots.txt file either. So, I went on manually checking for SQLInjection. It turns out, it is vulnerable to SQL Injection.
–> I have tried a lot of authentication bypass strings, but here is a twist, the OR and = seems to filter out by the application.
So I have tried the alternative for or which is ||
‘ || 1=1 didn’t got me in either.
SQLmap wouldn’t help here either.
So I have searched for some more ways to evade this authentication filter and landed on to this wonderful page: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20injection
I have tried: ‘^’ and It worked!
The information says that we have to login to john’s account with the above credentials avail the account details. So let’s try that.
–> Remember when I said the ssh is filtered. Now you see it. It’s filtered and It won’t make connection from just any machine. So, We need to find a way to login.
–> Remember when we scanned the ports and found Squid Proxy on http, that’s our main cue here.
–> So, Let’s fire up proxychain!
I changed the proxychain.conf file:
I added this line.
Let’s run it now!
The thing that happened here is that we got the fund withdrawn information only but not a shell because it is just for that purpose. To run the shell we need to write this:
Proxychains ssh john@192.168.0.105 /bin/sh –i
We’ve got the shell now:
The next thing is to check how much access do we got!
sudo -l
So I checked in /var/www, if we can find something in any php file for connections details.
The login.php shows the following result:
The credentials seems to be for the localhost mysql.
–> I typed in the command: mysql –u root –p
Show databases command will show you the databases stored in mysql. You might not see the output right away because the shell here is not a good one but \q will quit the mysql and it will push the output on the screen. The drawback is you have to login everytime.
The interesting database might be SkyTech! So we logged in again with mysql and this time we specified the database too. Show tables; is the next query I did and then I used select command to see what’s in the login table.
Time to try ssh on Sara and William!
Logged in again with the Sara’s credentials to ssh.
Let’s check how much privilege we have with this account: sudo –l
We can access /bin/cat and /accounts/ directory too on the root level!
Here I have tried a lot of ways in order to access the flag.txt at /root/flags.txt
But finally here is the line that worked.