Wednesday, 6 July 2016

SkyTower challenge

Hello all,
This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town).

Scanning with aggressive all ports gave us
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
Quite simple. The default web page looks

Good. I tried log in using default credentials, but without success. So, I examined SQL Injection and I have got SQL Syntax Error, because OR and "=" part are filtered. So, let's try bypass the filtering.
I found very useful list of bypassing filtering

I have used the first from the list and I have got

Excellent! But we have a little problem - SSH is filtering... We know that the target serves also HTTP Proxy. Maybe we can connect to SSH through http-proxy. I configured a ProxyChain and

We are not logged in... Hmm, but we know that we can execute command over SSH, let's examine our idea

Excellent! Let's try use nc to maintain session

Yeah! We have got limited shell! I found in the /var/www/ directory login.php file which contains credentials for mysql (root:root). 

Excellent! Let's log in as sara and verify what we can do as root

Amazing! We can cat the flag.txt from root directory!


Game over!