Vulnhub - Sunset writeup
Sunset
Author: whitecr0wz
Nmap
Only two ports are open and since FTP allowed anonymous login so let’s start with that.
FTP
After logging into FTP with anonymous credentials I found a file named backup
That file contained the hashes of some of the passwords.
➜ cat backup
CREDENTIALS:
office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.
datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/
sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/
After removing the CREDENTIAL
from the file I ran the file through john without any wordlist.
I got password for 3 user
sky:sky
sunset:cheer14
space:space
and was able to login into SSH via sunset's
password.
And now we can get the user
hash.
Privilege escalation
I downloaded the enumeration script from my own system and then ran it to see if I can find anything interesting.
The enumeration script gave out nothing but I found out that user sunset
had some sudo priveleges.
We can run the ed
binary as root.
I searched the ed
binary on gtfobins and found gtfobins/ed.
I was able to get the root shell with the following commnad:
$ sudo -u root ed
!/bin/sh
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.