21 hours 43 minutes
hands on penetration test, lab walkthrough.
So really are learning objective here is to get root, right? I don't want to give, you didn't want to give you a lot of information. I wanted it to be kind of
your opportunity to figure out how to exploit this box. And this is not an easy box to exploit. Uh, and really takes a lot of enumeration figuring out what's going on here. So
I did a full port scan, I did rsV sc
Full port skin. I see that to our open port 22 is filtered
eighties open Apache. You could of course google this and see if there's any vulnerabilities for it
And as well as a squid proxy. So of course, because 80 is open, I'm going to use my web browser to go to
this page and I see it's a login page. I'll also view the source
to see if there's anything interesting, which I don't really.
And I also see
that we have Apache, PHP and Debian operating system. So at least I know, you know, we're dealing with Lennox here.
So how do I get onto this box? This might take you a long time trying to get in here. If I do test at test dot com,
single quote and anything for password,
we see that there was an error running the query and that we're dealing with my sequel. Right? So this is uh, an error based sequel injection. Well, it doesn't respond to our typical or one equals one.
I showed you this. You have to use the double pipes, right? Double pipes. One equals one. And the pound is a comment
I don't even think will work with the other comments. So this is the only comment that it will work with
and this will get you some good information.
He says welcome johN at Sky tech dot com.
So unfortunately you only have $2 here so but we have a username and password for. Ssh Well how do we get on ssh? Well we know
that we're dealing with a squid proxy, right
sort of a squid proxy. HCP squid proxy here. So we need to configure our etc. Hosts file.
So by nano or etc. M sorry proxy chains.
If we edit this file
at the end we could do HDP 1921681 90 on port 3128 HDP 31283128 And what this will do is should allow us to use proxy chains to do things like enumerate. So
if you want to use End Map, you have to be very very careful with proxy chains.
So in order to use end map with proxy change, you have to use S. T.
N. P. N. And you'll notice if we run this
Port 22 is open so we can now use port
22, you can use proxy chains to Ssh in
and we have johN's information. Not Sarah's not yet.
So if I login is johN and I've told you this before with the TSH, but if I don't do that
here is johN
you'll notice it just logs me out right off the bat.
So if I specify my shell as T. S. H.
Here is john
you'll notice I do get my prompt here.
So I should be johN
we're at home johN but let's take a look at the web directory.
Of course I'd consider this a bad show because we can't really see a lot.
So if I can't log in dot PHP
I can see
the database. Local hosts. Root Root Sky Tech.
So root root username password. Sky Tech.
So I can log into my sequel Now,
user is Root password is route
and now we're in the database. So show databases
and we saw from that login script. It was using Sky Tech. So we can use Sky Tech
case sensitive. Right?
all from log in.
And we have Now we have the disgruntled employee Sarah
that hates her job and we have William.
So, if I'm thinking who's going to have more juicy information? Maybe maybe it's Sarah. So let's let's try to log in now is Sarah now that we have heard credentials?
So let's log in now is Sarah.
I hate my job.
I'm sorry. I hate this job.
At least she's specific. Right.
So, now what do we have? We are home of Sarah. Let's do Sudo. L I told you like to do that
and we can see that Sarah can run
cat and LS, which is great. So if I Sudo,
let me just do this
dot dot or dot dot goes back.
So let's see where accounts is.
So I'll go here.
we see where it is in the root.
So if I do Ls
dot dot etc,
it will show me etc. Right?
Or if I wanted to L s accounts
at sea password.
Well, it tells me that that file, Let's see. Let's see if we get more information,
dot dot etc password.
Okay, can we cut that?
I hope you see what I'm doing here that I can go back a directory.
So there you go. So now I can use Sudo. Right. And which directory can normally not get too
So we still have a flag there and I can also cat this pseudo cat
flag dot txt.
Oh, I forgot their roots,
dot dot route,
flag dot txt.
And now it says root password is the sky tower. So here we go. Let's get out of here.
Let's go to route.
We shouldn't really have to specify this,
the sky tower
and now you can see I'm route.
So we're in the root users
So that is how you go from uh
a new ring with End Map finding that we have a squid proxy and we also have a login. You can try um sequel map. I didn't get sequel map wouldn't work for me on this and that's one of the reasons why I picked this sequel map wouldn't work on this web form and it was a really, really tricky uh
syntax that you had to use here for a sequel injection.
So I wanted you to think outside the box um on sequel injection. Of course, it gave you that
when you did the did the single quote.
Um and also it kind of tripped you up when you s S station and it logs you want logged you off, you have to think around that as well. So the reason why I like this box was it really made you, I think think outside the Box you have to do a lot of different configurations if you did this without, like looking at the walk throughs and the guides online.
I mean, kudos to you, if you figured out that it was Sky Tower,
there are plenty of walk throughs and guides for this, and I recommend that you read those as well. But I think this one really made me think outside the box, on on how to all these different configurations and flags worked to ultimately get on the box
and get root.