SkyTower VM from Vulnhub write-up

This is my write up of Vulnhub's latest VM, SkyTower. You can find this VM here.

SkyTower is a "boot2root" VM, with vulnerabilities put in on purpose. Your goal when doing this challenge is to get root, or Administrative privileges and read the flag located at /root/flag.txt. This is my write up on how I completed this challenge. My attack platform was Kali dist-upgraded to whatever the latest version is. I used Virtualbox. Here we go!

So, first things first, we need to find the IP of the SkyTower VM. Since I know my attack IP address is 192.168.56.101, and 192.168.56.100 isn't actually up for some reason (???) the SkyTower VM must be 192.168.56.102.

Next, we will look to see what services are running on the machine.

We found 3 open ports, 22 witch is filtered. 80, and 3128 which is running some sort of proxy. Lets see what we can find on the website.

Not surprising, some sort of login screen. Simply putting a single quote in the email field gives us back an error, so now we know this is SQL injectable.

Lets try our good old 1' or '1'='1

Nope. Hmm, maybe they are filtering certain keywords.

Note: when I first began to complete this I used the string 1'||'1'<'2 since I thought that they were filtering the keywords 'OR' and '=', which turned out to be way more complicated than it needed to be. However, later on in the challenge this didn't work for other things (I'll explain later). As told to me by 'teh3ck' in #vulnhub, I used '*' to do the rest of the challenge.

Now we have a username and password for the user John! Lets try to login with SSH like it tells us to.

Hmm, this just stays like this for a while, and never connects. Bummer. Maybe we should take a closer look at that http_proxy running on the server. Maybe SSH only accepts connections from the localhost? I installed corkscrew, and in my .ssh/config I added the lines:

Host * ProxyCommand corkscrew 192.168.56.102 3128 %h %p

Then I tried logging in as john again. And it worked!

Well, sorta... It just kicked me right out! Lets try executing a command when SSH connects with
$ssh john@192.168.56.102 -t 'connect; cat/etc/passwd'

Now we have remote code execution! /etc/passwd shows our shell as being /bin/bash (as well as two other users, we'll get to that later.), so that won't work. Lets try /bin/sh instead.

We now have an interactive shell. Now, before we go any further I'd just like to say that I like bash way better than sh, so I spent a little bit of time fixing it. This isn't necessary and probably wouldn't be done in an actual pen test, but I changed john's ~/.bashrc and removed the bottom 3 lines. Again, this isn't necessary but I found it a lot easier to navigate with tab completion and using the up arrow and stuff like that. So boom, we are at a bash prompt. Now I'll be honest with you, I spent a lot of time stuck here. Several hours of searching for SUID binaries, kernel exploits, I don't have any sudo permission, you know the whole sha-bang. Nothing worked. Remember earlier when I said my SQL injection command didn't work? That is because even if I put sara@skytower.com as the email and my SQL injection code, it still displayed john. I'll admit I'm not too familiar with SQL code, so I honestly can't tell you why this happened, however using the alternative '*' did work.
Using this, we are able to find Sara

and William

Since John didn't get me anywhere, lets try someone else, like Sara. Sara also had the problems logging in, so I did the exact same thing I did to login with John, but I won't repeat that here. So now we are logged in as Sara, and have a bash prompt. Woo-hoo! At this point, I check to see if Sara has any sudo permissions, which as it turns out, she does!

Hmm, that is interesting. I am able to execute ls and cat on everything inside of the /accounts/* directory. So of course look to see what is inside the /accounts directory.

Hmm, it is empty. But, it said EVERYTHING within the directory. That is dangerous. '..' means the parent directory, so I can easily read /root/flag.txt

And there we go, the root password!

I hope you enjoyed this (I definitely enjoyed it!), and I hope it helped you! This was actually my first successful boot2root that I completed with little to no help, and I will certainly be doing more of these in the future!