Skytower-1: Vulnhub Walkthrough

Hello Guys! It’s me, Russell Murad, working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).

In this writeup, we’ll solve a vulnerable box called “Skytower:1”.

Official vulnhub website says, “You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. You will most likely find that automated tools will not assist you.”

Now, download the machine from here.

I’ve configured both the Vulnhub machine and my kali machine on the virtual box bridge connection.

Now, let’s begin –

1. First, we’ll use arp-scan to check our victim machine’s IP address. Command –

arp-scan -l

2. After that we need to find some open port and service enumeration. So, we’ll use Nmap for that. Command –

nmap -sC -sV -A -O -p- -T4 — script http-enum 192.168.136.113

Here we’ve got two services open. 80 is for HTTP, 3128 is for http-proxy and 22 — SSH is filtered.

3. Now, we’ll use a directory bruteforcing tool called “goBuster” for finding some directory and files. Command –

gobuster dir -u http://192.168.0.188/ -x php,txt,bak,old,zip,gz,conf,cnf,js -w /home/kali/Desktop/Big.txt -t 40

4. Now let’s login to the website and we’ll see that it’s just a login form in there. We don’t know any username, password yet. Let’s put an SQLi payload in the username, password field for testing purposes.

‘ or 1=1 — 

Observe carefully, there’s an SQL error just like every other SQLi vulnerability message.

5. Look at the message, it says that the password is “11 -”, but we’ve put “’or 1=1 — ”.

There’s filtering going on. We can be pretty sure about that.

They’ve filtered our “ ‘ ”, “ or ”, “ — ” payload characters. We’ve to modified our payload a little bit.

Let’s try this —

 ‘ || 1=1#

Worked like a charm!

We’ve successfully logged it there and the username, the password is –

Username: John
Password: hereisjohn

6. Now let’s use those credentials to login into SSH. We’ve tried several times but we’ll see it filtered as our Nmap scan showed. But remember we’ve found a Squid Proxy in our target machine. With that, we can access the SSH server by proxying the connection through the squid server on the target machine.

Let’s use the proxy tunnel for that –

proxytunnel -p 192.168.0.188:3128 -d 127.0.0.1:22 -a 1234

7. Let’s SSH through the HTTP tunnel. But oops, after given some messages it closed the connection.

8. We’ve found a solution for that. Let’s call bash with the SSH connection as a parameter, find the .bashrc file and delete it, and exit. After that login again. This time you won’t face any kind of trouble.

9. After trying traversing various directories, we’ve found a “login.php” file in “/var/www/” directory. There’s a MySQL DB password which we can use.

10. Now let’s login into MySQL with those credentials and enumerate a little bit.

mysql -uroot -proot
show databases;

11. We can see in the “login” table, there are emails and passwords stored.

john@skytech.com | hereisjohn
sara@skytech.com | ihatethisjob
william@skytech.com | senseable

12. We’ve got it! Now let’s try to login Sara's SSH account with /bin/bash parameter. Like the previous time, we’ll delete Sara's .bashrc file.

13. Let’s check the sudo user privilege list by using sudo -l. It saying user Sara can run cat and bin without any password. After running those files with /root directory, we’ll find our flag.

So, guys, that’s it for today.
Thank you for reading this writeup. Cheers!