VulnHub’s SkyTower: A Walkthrough

SkyTower is a Linux machine hosted by VulnHub, created by Telspace Systems. I enjoyed rooting this box and would recommend it to anyone starting in Ethical Hacking

Reconnaissance

netdiscover the IP

IP-192.168.43.133

Running a Nmap scan on the target, we get:-

We get a login page at port 80 below:-

Checking the page source did not give anything useful

Enumeration

Running a dirb scan, we get:-

Doesn't seem promising

Running a nikto scan, we get:-

/login.php seems like a false trail. We don't get anything important from the page source.

Alternative options: Perform sqlmap or something of the sort, if we don't get any login credential information

Leaving port 80, we got to port 3128-We get:-

Consulted the walkthrough from here.

When entering ‘ on the username field, we get:-

It means that the login page is vulnerable to SQL Injection and the exploit was not found by sqlmap

We instead use Burpsuite, to intercept the login request packet and manipulate it

Suggested SQL Commands:-

‘or 1=1 #
‘|| 1=1
‘or 1=1 — — etc

Why? Because some of the symbols are filtered-such as ‘or’

Rightful Injection- ‘|| 1=1# ← Username/Email field only

After we bypass the login, via SQL Injection, we get:-

Gaining and maintaining access

Since we saw that ssh was filtered, we check for -sV nmap scan to find additional ports-No we did not find anything

How to access ssh?
Step 1-Add our IP to /etc/proxychains.conf
Step-2 Follow as given in Image 10.At the bottom of the file
Step3-Command to be executed proxychains nmap -sT 127.0.0.1
We find ssh port to be open now.

Let's gain access

Command- proxychains ssh john@127.0.0.1
We tried. but the connection was repeatedly getting closed

Why? Because of shell configuration.

What can we do?
apply /bin/bash parameter to put command

Command-proxychains ssh john@127.0.0.1 /bin/bash

It is a restrictive shell and cannot execute <tab>,sudo commands.

Now we run

Command — find / -writable 2>/dev/null

Going over to mysqld.sock shows that it is a non-writable file. We tried escaping our shell but to no avail

Going over to /var/www,we get:-

Viewing index.html gives the code of the same website at http://192.168.43.133

Viewing login.php, we get our credentials

We want to execute SQL commands, so we need to use the shell — following the command:-

Command- /bin/sh -i

We enter the database in the machine
Command-mysql -u root -p
Password=root (when prompted)

Commands:-
show databases;
select database_name;
show tables;
select * from table_name;

From the SkyTech table, we get:-

Privilege Escalation

Logging in as sara, we view what commands are executable, by user sara.

Command-sudo -l

Since the user sara can ‘cat’ and view /accounts, let us see the contents of /root

First Command-sudo ls /accounts/../root/ <-To view the contents of /root
We see flag.txt within the /root

The same can be used to cat the file
Command-sudo ls /accounts../root/flag.txt

We get our root password=theskytower and re-login back as root, to get our flag

Reporting

Well, you have it now!

What I learned:-

• Proxychains implementation
• Privilege Escalation, using CLI commands

Conclusion:-

• This is a machine of medium difficulty
• If SQL injection is not possible using sqlmap, try it out using Burpsuite as well. It’s great to have options open

Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……