SkyTower CTF Walkthrough


The following article is a walkthrough for Skytower Vulnerable machine. This machine is a web application Capture the flag machine. This machine is filtered and an appropriate methodology is required here.

Objectives:

Obtain the flag.txt file from /root/

So let’s dive:

Tools:

  1. Virtual Machine or VMware
  2. Kali OS

I located the skytower vulnhub’s IP address with the help of nmap.

-> nmap 192.168.0.1/24

The IP for skytower is 192.168.0.105.

–> I then again used nmap to enumerate the services of the Skytower vulnerable machine. This is the result that I received:

So looking at the result, ssh is filtered means some firewall is there. There is a web server running on port 80 and a squid proxy on 3128.

–> I browsed to 192.168.0.105 and checked out their site.

Nikto isn’t much help here.

–> I checked the source what there isn’t any. No Robots.txt file either. So, I went on manually checking for SQLInjection. It turns out, it is vulnerable to SQL Injection.

–> I have tried a lot of authentication bypass strings, but here is a twist, the OR and = seems to filter out by the application.

So I have tried the alternative  for  or which is  ||

‘ || 1=1 didn’t got me in either.

SQLmap wouldn’t help here either.

So I have searched for some more ways to evade this authentication filter and landed on to this wonderful page: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20injection

I have tried:  ‘^’ and It worked!

Skytower anonhack

The information says that we have to login to john’s account with the above credentials avail the account details. So let’s try that.

–> Remember when I said the ssh is filtered. Now you see it. It’s filtered and It won’t make connection from just any machine. So, We need to find a way to login.

–> Remember when we scanned the ports and found Squid Proxy on http, that’s our main cue here.

–> So, Let’s fire up proxychain!

I changed the proxychain.conf file:

Skytower anonhack

I added this line.

Skytower anonhack

Let’s run it now!

Skytower anonhack

The thing that happened here is that we got the fund withdrawn information only but not a shell because it is just for that purpose. To run the shell we need to write this:

Proxychains ssh john@192.168.0.105 /bin/sh –i

We’ve got the shell now:

Skytower anonhack

The next thing is to check how much access do we got!

sudo -l

Skytower anonhack

 

So I checked in /var/www, if we can find something in any php file for connections details.

The login.php shows the following result:

Skytower anonhack

Skytower walkthrough anonhack.in

 

The credentials seems to be for the localhost mysql.

–> I typed in the command: mysql –u root –p

Skytower walkthrough anonhack.in

Show databases command will show you the databases stored in mysql. You might not see the output right away because the shell here is not a good one but \q will quit the mysql and it will push the output on the screen. The drawback is you have to login everytime.

Skytower walkthrough anonhack.in

The interesting database might be SkyTech! So we logged in again with mysql and this time we specified the database too. Show tables; is the next query I did and then I used select command to see what’s in the login table.Skytower walkthrough anonhack.in

Time to try ssh on Sara and William!

Logged in again with the Sara’s credentials to ssh.

Skytower walkthrough anonhack.in

Let’s check how much privilege we have with this account: sudo –l

Skytower walkthrough anonhack.in

We can access /bin/cat and /accounts/ directory too on the root level!

Here I have tried a lot of ways in order to access the flag.txt at /root/flags.txt

But finally here is the line that worked.

Skytower walkthrough anonhack.in

 

 


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.