Hi all, just pwned this fresh new vulnhub box. A good one to relax after a hard day, let’s pwn it!
You can find the machine there > sunset decoy
Let’s start always with nmap.
Webpage has only a
save.zip file let’s download it.
Needs a password, no problem. Let’s fire up my favorite
Cracking user password - Shell access
Seems like a copy of
/etc, let’s focus on
shadow file since it contains user passwords in encrypted format. I saved the user password in a file and i’ll run john on it.
Bingo! ;) Let’s login in:
Oh we’re into
rbash = restricted shell Restricts some of the system capabilities like commands etc
Here we can do a trick to bypass it with ssh:
All the commands now return
command not found, we have to fix the
user -> root - exploiting chkrootkit
Now privesc is simple, we can see this
SV-502 directory in home. If we follow it we can see a
log.txt that provide a really useful information:
2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz
System runs a vulnerable version of
chkrootkit, let’s search for possible exploits.
update file under
/tmp will be executed as root. We can simply change root password!
Perfect! ;) Let’s read the flag:
Fun box! :)