Sunset Sunrise Walkthrough

Sunset Sunrise Walkthrough Vulnhub CTF

Hello guys, today we will face Beginner challenges. Introducing the sunset: sunrise 1 virtual machine, created by “whitecr0wz” and available on Vulnhub. Sunset Sunrise Walkthrough

Now First scanning network with netdiscover Tool

netdiscover

Port Scan with Nmap target machine using the command

nmap -A 192.168.1.197 -Pn

We see four-port are open target machine now enumerate the port 22,80,3306,8080

I am using nikto enumeration tool scan our target machine port 8080 Webservice running

nikto -url 192.168.1.197:8080

target machine Weborf Server is running I search Weborf exploit from exploit-DB and found an exploit name

weborf 0.12.2 – Directory Traversal

Now use the exploit through Burp-Suite am intercept the port 8080 requests and send to repeater the request and target machine show password

Exploitation with burp suite tool

After sending request Repeater show /etc/passwd file

and see users sunrise and weborf now enumerating the sunrise directory with changing directory

user sunrise directory enumerate

and I see user.txt file now open the file change url and find our first flag user.txt

Enumerate the user weborf and sometime later found a file weborf directory .mysql_history now open the file

And found a weborf user MySQL password I try the password ssh connection and ssh connection is connect the password

  • username: weborf
  • password: iheartrainbows44

Now connect the username and password ssh connection and successful connect ssh connection and got a weborf shell

Next step is finding root flag lets enumerate the system with user weborf

Login mysql database with weborf login

mysql -u weborf -p
  • username: weborf
  • password: iheartrainbows44

show databases command to show all database

show databases;
change database mysql;     (for change the database)
show tables;    (List all databases on the sql server)
describe user;    (To see database's field formats)
select User, Password from user;

and got all username and password but root password is encrypted

  • second username and password
  • username: sunrise
  • password: thefutureissobrightigottawearshades

Privilege Escalation

When you run any command along with sudo users can execute specific commands under other users (also root) using their own passwords instead of user’s one or without password depending upon setting in /etc/sudoers file and we see wine application is sudoers file let’s exploit wine

sudo -l

try exploit /usr/bin/wine

I am creating simple windows reverse meterpreter connection payload and download target /tmp directory and execute our payload with sudo wine and control our payload msfconsole

sudo wine connection.exe

and go a Reverse connection target machine find our last root flag

cd /root
cat root.txt

And found our final flag root.txt

sunset dusk walkthrough read here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →