SunsetDecoy
Nmap
First up checking the root page for port 80 takes us to an index page containing a file called save.zip.
Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a John
module called zip2john
. We can use this to create a hash of the file which can be used for cracking with John
.
We can then run John
against the hash.
We soon get the password manuel
. We can then extract the contents of save.zip. After doing so we extract the /etc/ folder.
Out of these files shadow is of interest the most.
We have passwords hash for the root account and the account '296640a3b825115a47b68fc44501c828'. I was unable to crack the root password with a wordlist so instead was able to crack the other account as per below:
We now have the password: server
I was then able to login to SSH
with the username and password.
When attempting to run a simple command such as cat we are given the error message: -rbash: cat: command not found
.
To help bypass this we can exit out of SSH and reconnect with the following command:
Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.
Once in the new shell export a new path so we have use of commands easily.
After enumerating the machine for a while I was unable to find points of escalation. I then transferred over pspy64 and let it run.
Soon after running we get a huge amount of entries for chkrootkit-0.49.
Researching on Google shows a local privilege escalation exploit with this version and below:
Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.
Make it executable:
Then open a netcat
listener to the specified port and we should land a root shell.
Last updated