Today we are going to solve another boot2root
challenge called "Sunset: Twilight".
It's available at VulnHub for penetration testing and you can download
it from here.
The credit for making this lab goes to whitecr0wz. Let's get started and learn how to successfully break it down.
Level: Intermediate
Penetration Testing
Methodology
Reconnaissance
Netdiscover
Nmap
Enumeration
Gobuster
Exploiting
John The Ripper
Vulnerability file upload of PHP F1
Privilege Escalation
Abuse of write permission in /etc/passwd
file
Capture the flag
Walkthrough
Reconnaissance
We are looking for the
machine with netdiscover
$ netdiscover -i ethX
So, let's start by
running map to all ports with OS detection, software versions, scripts and
traceroute.
$ nmap -A –p- 192.168.10.177
Enumeration
We start Gobuster and configure it to find files
by specific extensions.
We found a directory
called "gallery".
We access it, we see
that it allows us to upload images. Looking for any exploit or vulnerability, we find that it is possible to upload php files by renaming it to
"php.pjpeg" extension.
Exploiting
We upload our shell and
capture the request with Burp.
Rename file name "php.pjpeg"
to ".php" an send
petition.
Example of request:
Example
of response:
We have a netcat in listen in the port 4444.
We execute the url http://192.168.10.177/gallery/original/shell2.php
and we have an reverse shell.
Privilege Escalation
(root)
We execute "linpeas.sh" script and we listed
that we can read the file "shadow-".
We cracking shadow hashes with the tool "John The Ripper" and dictionary
"rockyou".
OMG! We testing credentials of root system and error. It
couldn't be that easy!
We're still looking and found that we have write
permissions on the "/etc/passwd".
We modification the file "passwd" with hash and
we raised server with python.
We download the file "passwd", we replace for the original and we authenticate as
root.
Got it! Now we can read our flag.
0 comments:
Post a Comment