CTF Walkthroughs, VulnHub

VulnHub – SkyTower Walkthrough

July 20, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting a SQL injection vulnerability to gain initial access, clear-text database credentials and miconfigured Sudo rules to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

The scan has revealed three open ports: 80 (HTTP) and 3128 (Squid Proxy), so the next thing to do will be to start enumerating HTTP.

Enumerating HTTP

A login page is displayed when accessing the site on port 80:

When adding a ‘ to the password field, the login page would produce an error, indicating it is probably vulnerable to SQL injection. While trying to bypass authentication, it appears that the “‘or 1=1–” does not seem to work as MySQL is not commenting the rest of the query, therefore resulting in the belowerror:

This means that some characters were probably being filtered out or escaped, as the only part of the payload that was left in the query was “’11”.

Exploiting SQL Injection

In MySQL, there are other ways other than “OR” to create an or statement (using ||) and there are other ways of commenting code other than — (using #), like in many other scripting and query languages. Therefore, the following payload will successfully bypass authentication:

' || 1=1#

This takes to a page that contains credentials for a “john” user. As it turns out those credentials belong to an actual user on the box.

Since port 22 was filtered as seen in the Nmap scan, Squid can be used to create a tunnel on the target machine that will open port 22 when port 2222 on the localhost is interacted with:

The SSH session appears to terminate as soon as it connects, this could be due to a command specified in the .bashrc file. Decided to download it using SCP to verify this, and it does appear it contains a command to display “Funds have been withdrawn” and exit from the shell:

SSH can be used with the -t command to execute commands upon connection, sent a command through it to remove .bashrc file and that allowed to finally authenticate remotely:

Privilege Escalation

When inspecting the login.php file, found some database credentials:

Authenticating into MySQL:

Listing the available databases, selecting SkyTech, listing tables and finding some clear-text passwords:

Since the “sarah” user exists on the box, trying to authenticate as Sarah through SSH. The same problem as earlier was encountered so had to remove .bashrc for this user as well:

It appears that the “sarah” user can execute the cat command against all files in the /accounts directory:

This can be abused by using ../ to instead read all files. This could be used in a number of way to potentially achieved root-level access, but inspecting the root flag will reveal the root user’s password:

After changing user to root, full access to the machine is obtained.

Conclusion

I quite like this box and since when I originally completed this challenge I was still fairly new to pentesting it was great for me at the time, it is quite real-life based and the challenges to complete aren’t too hard but still entertaining.