Today we are going to solve another boot2root challenge called "Sunset: Twilight". It's available at VulnHub for penetration testing and you can download it from here.
The credit for making this lab goes to whitecr0wz. Let's get started and learn how to successfully break it down.
Level: Intermediate
Penetration Testing Methodology
Reconnaissance
Netdiscover
Nmap
Enumeration
Gobuster
Exploiting
John The Ripper
Vulnerability file upload of PHP F1
Privilege Escalation
Abuse of write permission in /etc/passwd file
Capture the flag
Walkthrough
Reconnaissance
We are looking for the machine with netdiscover
$ netdiscover -i ethX
So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.
$ nmap -A –p- 192.168.10.177
Enumeration
We start Gobuster and configure it to find files by specific extensions.
We found a directory called "gallery".
We access it, we see that it allows us to upload images. Looking for any exploit or vulnerability, we find that it is possible to upload php files by renaming it to "php.pjpeg" extension.
Exploiting
We upload our shell and capture the request with Burp. Rename file name "php.pjpeg" to ".php" an send petition.
Example of request:
Example of response:
We have a netcat in listen in the port 4444. We execute the url http://192.168.10.177/gallery/original/shell2.phpand we have an reverse shell.
Privilege Escalation (root)
We execute "linpeas.sh" script and we listed that we can read the file "shadow-".
We cracking shadow hashes with the tool "John The Ripper" and dictionary "rockyou".
OMG! We testing credentials of root system and error. It couldn't be that easy!
We're still looking and found that we have write permissions on the "/etc/passwd".
We modification the file "passwd" with hash and we raised server with python.
We download the file "passwd", we replace for the original and we authenticate as root.
Got it! Now we can read our flag.
