ctf-writeups

Here I publish my ctf writeups

View on GitHub

Skytower is an old boot2root machine from vulnhub and considered an easy machine.

This is my methodolgy

1- Enumeration

2- Exploitation

3- Post Exploitation

Enumeration

We begin with nmap scan to see open ports and services running.

nmapScan

-sC: for default scripts

-sV: for version

-p-: to scan all 65535 ports

-T5: to speed up

22/tcp filtered ssh 80/tcp open http Apache httpd 2.2.22 ((Debian)) 3128/tcp open http-proxy Squid http proxy 3.1.20

it looks like it is login page

login

I like to view page source because if there is something hidden press ctrl+u But nothing interesting.

sourceCode

Let’s find subdirectories, I use gobuster dir mode to find subdirectories. No Subdirectories interesting

gobuster

I tried to test if there was broken authentication I typed anything to see whether the error message is verbose But it wasn’t verbose , I tried some credentials but all failed. authentication1 authentication2

Let’s try basic sql injection payload sql error occured which means there is sql injection vulnerability

sqlinjection SqlError

Exploiting Sql Injection

I tried some payloads til i write the right payload that exploit the vulnerability

sqlPayload PayloadResult

And Here is the credentials for user called john, looks like he is an actual user on the box.

This page said that you must login via ssh to access the account details and since ssh port(22) is filtered we can’t directly access the account via ssh.

So we will use portforwarding technique to connect to port 22 indirectly.

We will use squid proxy to create a tunnel on the target machine that forward the data received from port 1122 on the local machine to port 22 on the target machine.

username:john ,password:hereisjohn sshError

A strange string appear which is “Funds have been withdrawn” and the connection closed

After a lot of time thinking and searching about the error I remembered that there is a hidden file in every user directory called .bashrc

The .bashrc file is a script file that’s executed when a user logs in. The file itself contains a series of configurations for the terminal session. This includes setting up or enabling: coloring, completion, shell history, command aliases, and more.

So I decided to delete this file from the target machine, Fortunately ssh has the ability to execute commands on the target without login shell.

execute the command to delete .bashrc file then connect with ssh

AND Finally we got a shell SHELL

Post Exploitation

Privilege Escalation

Users on host: john , sara , william

Users

Go back to login page which is vulnerable to sql injection and try to get the password for these accounts

SaraCreds SaraCreds2 williamCreds

User:sara , password:ihatethisjob

user:william , password:senseable

If you type netstat -ano to find the connections on the machine

netstat

the result indicate that port 3306 is open which is mysql, let’s try to inspect login.php to find the credentials

RootCreds

Let’s connect to root with mysql

mysql

try to show databases and access the columns of login table and see the users

mysql2 mysql3

Let’s do like we did with john (delete .bashrc) then connect to sara

SaraShell

See what sara can execute with sudo command

sudo command gives you safe, elevated privileges to run important commands

SaraSudo

From the result sara has access to any thing in accounts directory you can abuse that by using dot dot slash attack which is known as directory traversal to see root’s flag.

Root'sPassword

user:root , password:theskytower

Type su root and write the password and got root shell.

RootShell