CTF – Skytower

During a 5 day CEH course our trainer gave us this CTF as a challenge towards the end of SQLi module. We were encouraged not to use any automated tools but just the theory we had learned so far. This was my first ever CTF and was lots of fun. Completion of this was a team effort.

My Setup

Download from https://www.vulnhub.com/entry/skytower-1,96/

My Solution

From the Kali box I found out what network I was on

Then, scan the network to find the Skytower VM’s IP (-sn is ping scan)

Scan Skytower VM to see what open ports it has. TCP80 and TCP3128 are open. TCP22 appears to be filtered. I started with 80.

Bringing up a browser gave me a login screen. As we had just finished a SQL injection module, this was a pretty big hint for our next steps.

While we did not use any tools in the class to proceed with this, Burp Suite would have made things a lot easier. A tutorial I found is at Burp Suite – Bypass Login Fields Tutorial (note this is the pro version)

Typing an apostrophe into the email text-box throws the error below. I found out the back end DB is MySQL, see some of the SQL query and know there is potential for an injection attack.

I assumed the SQL query is something like below

“SELECT * FROM user WHERE email = ‘$email’ AND pass = ‘$pass’ “;

So after some trial and error I painfully found some operators (OR, AND, –) are being blocked but eventually found a way through to a welcome page. There are more efficient ways to do this, but this is what I got to work.

email = ‘ || ‘1’=’1′ /*

password =  */ || ‘1’=’1

“SELECT * FROM user WHERE email = ‘‘ || ‘1’=’1′ /* ‘ AND pass = ‘ */ || ‘1’=’1‘ “;

If you’re new to SQL check out  w3schools.

Now that I had some SSH credentials I was off to claim my $2 retirement fund. I eagerly fired up a ssh prompt, only to be shut down. Trying to SSH in just kept timing out as this was filtered.

A hint was given to the class to checkout the proxytunnel command and the open squid port 3128. After a few cups of coffee we came up with the below solution.

proxytunnel -p 192.168.56.101:3128 -d 127.0.0.1:22 -a 6969 My understanding of this is the localhost is setup as the destination  (-d) using port 22. This listens on port 6969 (-a) and sends to the squid proxy at 192.168.56.101 on 3128 (-p).

(More examples of using proxytunnel here. Alternatively you could have used proxychains)

The proxytunnel will run so long as the terminal is open. So we open a new shell and try to SSH across. Note specifying the port 6969 to send via the proxytunnel.

We connect successfully but get booted off straight away – how rude. Suspect something is exiting in John’s bash script.

After a few unsuccessful attempts to get around this we try the secure copy command scp -P 6969 [email protected]:~/.bashrc /tmp. Using the existing proxytunnel on port 6969 and copy the .bashrc file from the Skytower machine back to our local tmp directory to investigate.

Navigate to the /tmp directory and open it up

Sure enough at the end of the script there is an exit command. We remove this and save.

Now modified, send this back to Johns home directory and attempt connecting again – this time with success. Alternatively we could have just renamed the bashrc file using:

ssh [email protected] -p 6969 "mv .bashrc .bashrc.bak"

Now lets have a dig around to see what John can do.  Checking /etc/passwd we find 2 other users sarah and william which we’ll come back to. There is also a mysql user which would suggest that’s the database being used.

Lets check the default Apache install directory (/var/www) for any mysql database details.

Checking the login.php file we find alot of infomation

  • mysqli credentials are “root/root” and database name is “SkyTech
  • There was some basic SQL injection protection in place *shakes fist*
  • The original SELECT query we were trying to break was very similar to what we were expecting. Also note the table “login” being used

We connect with the credentials and get a mysql prompt

We already know the database name and table of interest, but if we didn’t, go through the checks below. We now have Sara and William’s passwords.

While logged in as John, we check if he has any sudo privileges to elevate to. After some more digging, there is not much more we can do with John.

William is unable to even SSH in. Logging in via the webpage also tells us nothing new.

However logging in as Sara we find she has some sudo privileges to an accounts folder where we can run the cat and ls commands. This is good news, but there is nothing in this folder.

Doing some research I stumble upon a path traversal attack and after a few minutes (*cough* hours) display the contents of the root directory, then display the flag.

To confirm SSH back in as root

Other Alternative Solutions

Be sure to check out the other solutions below for solving Skytower