VulnHub’s SkyTower: A Walkthrough
SkyTower is a Linux machine hosted by VulnHub, created by Telspace Systems. I enjoyed rooting this box and would recommend it to anyone starting in Ethical Hacking
netdiscover the IP
Running a Nmap scan on the target, we get:-
We get a login page at port 80 below:-
Checking the page source did not give anything useful
Running a dirb scan, we get:-
Doesn't seem promising
Running a nikto scan, we get:-
/login.php seems like a false trail. We don't get anything important from the page source.
Alternative options: Perform sqlmap or something of the sort, if we don't get any login credential information
Leaving port 80, we got to port 3128-We get:-
Consulted the walkthrough from here.
When entering ‘ on the username field, we get:-
It means that the login page is vulnerable to SQL Injection and the exploit was not found by sqlmap
We instead use Burpsuite, to intercept the login request packet and manipulate it
Suggested SQL Commands:-
‘or 1=1 #
‘or 1=1 — — etc
Why? Because some of the symbols are filtered-such as ‘or’
Rightful Injection- ‘|| 1=1# ← Username/Email field only
After we bypass the login, via SQL Injection, we get:-
Gaining and maintaining access
Since we saw that ssh was filtered, we check for -sV nmap scan to find additional ports-No we did not find anything
How to access ssh?
Step 1-Add our IP to /etc/proxychains.conf
Step-2 Follow as given in Image 10.At the bottom of the file
Step3-Command to be executed proxychains nmap -sT 127.0.0.1
We find ssh port to be open now.
Let's gain access
Command- proxychains ssh email@example.com
We tried. but the connection was repeatedly getting closed
Why? Because of shell configuration.
What can we do?
apply /bin/bash parameter to put command
Command-proxychains ssh firstname.lastname@example.org /bin/bash
It is a restrictive shell and cannot execute <tab>,sudo commands.
Now we run
Command — find / -writable 2>/dev/null
Going over to mysqld.sock shows that it is a non-writable file. We tried escaping our shell but to no avail
Going over to /var/www,we get:-
Viewing index.html gives the code of the same website at http://192.168.43.133
Viewing login.php, we get our credentials
We want to execute SQL commands, so we need to use the shell — following the command:-
Command- /bin/sh -i
We enter the database in the machine
Command-mysql -u root -p
Password=root (when prompted)
select * from table_name;
From the SkyTech table, we get:-
Logging in as sara, we view what commands are executable, by user sara.
Since the user sara can ‘cat’ and view /accounts, let us see the contents of /root
First Command-sudo ls /accounts/../root/ <-To view the contents of /root
We see flag.txt within the /root
The same can be used to cat the file
Command-sudo ls /accounts../root/flag.txt
We get our root password=theskytower and re-login back as root, to get our flag
Well, you have it now!
What I learned:-
- Proxychains implementation
- Privilege Escalation, using CLI commands
- This is a machine of medium difficulty
- If SQL injection is not possible using sqlmap, try it out using Burpsuite as well. It’s great to have options open
Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……