Seems like got a new boot2root challenge named SkyTower... a challenge used at a local CTF conference it says...
So I decided to try it on...
The vulnerable box was in vdi (VirtualBox) format, and hence I converted it into vmdk (VMware) by following the guide here...
Target IP: 192.168.117.150
Open Port: 80, 3128
Having a filtered port at port 22, the SSH service...
Suspecting this box might only allow SSH from the proxy tunnel Squid service...
Move on to check out their web page...
A login page found...
Tried with some SQL injection...
This might be vulnerable to SQL injection...
However, from the error message I found that the 'OR' and '=' is missing...
Tested and several attempts but found out nothing...
Check out teh_h3ck's SkyTower blog post and found out using the '*' wildcard could easily unveil everything...
Checking out again using the browser...
SSH as per requested but ended up connection lost...
Try connect through the proxy tunnel...
Login as 'john'...
However, to have a beautiful shell using the python pty is not possible as the box does not have python installed...
Hence, I decided to edit the bashrc file to stop auto kick me out... and re-login as 'john' in a usual way...
Scouting all over 'john' profile but nothing is fruitful... and 'john' is not capable of executing sudo command...
Checking out available users by showing the content of /etc/passwd...
and... we got 'sara' and 'william'...
Heading over to the webpage again and try login as 'sara' and 'william'...
Found the password for both 'sara' and 'william...
Try login as 'sara' based on lady's first rule...
Same connection auto lost happened with 'sara' account...
Changed the bashrc file of sara's...
Login successfully as sara....
Found out the directory traversal vulnerability of sara's sudo command...
Show the flag content and it contains root's passsword...
Completed with root's privilege on the box...
No comments:
Post a Comment