Skip to main content

SkyTower CTF Walkthrough

VM Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

Let's Start


22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.13
Network Distance: 1 hop

After an aggressive scanning with nmap we found the following services.
ssh , http, http-proxy.

The ssh port was filtered so we had access only to http , and the proxy.
Let's start with http.

After using nikto and dirb against the target we didn't find anything interesting.

Let's visit the site:

The email parameter was vulnerable to SQL injection.

As we see from the response the sql filters the 'OR'
This can by bypassed very easily with '||'

With the following payload email=' || email LIKE '%';#
We are able to bypass the authentication and we are presented with the following screen.

When the user logs in, it's presented with the clear username and password and says to login to ssh but the port is filtered.
But lets try to enumerate all the users in the web app.
Let's start a  burp intruder instance to brute-force and enumerate all the valid e-mail,usernames and passwords from the web application.

So we have an email that starts with j another with s and one with w.
Now logging in as each email we gained the following data.

Payload used : email=' || email LIKE 'j%';#
Username: john
Password: hereisjohn

Payload used : email=' || email LIKE 'w%';#
Username: william
Password: senseable

Payload used : email=' || email LIKE 's%';#
Username: sara
Password: ihatethisjob

So after we got the SSH usernames and password we will try to login and elevate our privileges.

The problem is that the SSH port is filtered.

But with the port scan we found a proxy and using proxychains we will forward the connection through the proxy and access the ssh.

We added the following line to the /etc/proxychains.conf

Now let's try to connect

We can't login with user william.
Logging in with sara and john auto closes the connection.
so we try to execute a command at the moment the ssh connects.

Now we have a shell.

After doing enumeration on the behalf of the user john
we didn't find anything interesting so time to switch accounts.

We could not login with william, so only sara is left.
After logging in as sara it looks like sara can run commands with sudo.

As we can see sara can run the following commands with sudo
cat and ls and the directory must be /accounts/*

Now lets ssh with the root account

Have Fun


Popular posts from this blog

WordSteal - Stealing Windows Credentials through crafted document

On every external pen-test I do after information gathering  and enumeration phase I prepare some spear-phishing campaigns. My favorite method is using Word Macros because most of the companies use a windows environment and the Microsoft Office pack is used widely.

During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails. 
Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) ,  I had to find a different way to spear-phish the employees.

Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.

Then I thought why not trying the  'file://' handler.
If you want to…

Exploiting EasyCafe Server <= 2.2.14 Remote File Read

All the information described here should not be used for malicious purposes. The author of the post does not keep responsibility for any illegal action you  do. This posts are written only for education purposes and understanding of vulnerabilities to prevent similar vulnerabilities in the future.If you do not agree  please leave this site 

I decided to do an audit to a software that is used widely among internet cafes here in Albania.
The software is called EasyCafe and the software website  states that is "The best Internet Cafe Management Software". First let me explain how this software works.