SkyTower - CTF

In the middle of time I had a chance to check another cool CTF hosted at the VulnHub. This time we will play SkyTower by Telspace. Let's go...

When your VM is ready you will find few open ports:

Checking the login page:

...you will find a 'hint' ;]

Great, seems like we should use sqlmap here?

So...

Looks like 'no':

Ok let's check what else is accesible on the webpage:

Checking /background/:

Hm... some stego? ;S

Hm... no? ;]

Let's back then to our 'SQLi bug'. I tried few different 'methods' as well as so called payloads...

...then I realizedthat the key will be '*':

Response:

...and 'show response in browser':

Cool. Look's like we have a new password now.

I decided to check the password with proxychains (configured like this:

Checking...

[;

Ok just checking. ;]

Next: let's try to get password(s) of the other user(s):

 

Response:

For the next one we will use similar scenario:

After some quick review of the webapp we will find that:

So yeah, cool. Checking then:

More:

Great, clear-text passwords! ;]

Now to use ssh, try to change the content(s) of .bashrc and add to the end of the file something like the line presented below:

Try to log in via SSH now:

We will use the same trick to poison sara's account (.bashrc):

Now, sara can use sudo. It looks like this:

As you can see we can use it to escalate to root :]

And this is how I meet...

Verifying:

This was pretty cool CTF :]

Big thanks goes to the Telspace - the author as well as to VulnHub for sharing this nice VM!
In case of any questions/comments/feedback - you know how to find me.

Cheers