I decided to do some more of the SunCSR Team boxes on VulnHub because I saw someone talking them up; I had done a couple already. It wasn’t easy though - although not for the reasons you might think.
VMWare
I used to use VMWare for my Kali but every few months it would just randomly nuke my box and I’d have to reinstall. Since I built my new PC, I only had VirtualBox and it has been seamless.
But … some of the SunCSR boxes are marked as working better with VMWare and I couldn’t get them to get an IP with VirtualBox like I normally would. So, I installed VMWare … and what a pain in the ass that turned out to be, for various reasons.
Anyway, I did Geisha with both Kali and Geisha in VMWare, then I got Sumo to run in VirtualBox. So far I can’t get BlueSky to run at all. I mean it boots okay, but I can’t connect to it.
Geisha
This will be brief. It has like 5 different HTTP ports, plus FTP (no anonymous) and SSH. While I’m enumerating the various HTTP services, I have Hydra running against FTP with a username I found on one of the pages - the passwd file is on the webserver. Despite having a vulnerable webapp on two on the ports, I can’t find the login page - suggesting it may be a red herring. Hydra finds a password for our user, and we can use this for both FTP and SSH.
Once on, base32 has the SUID bit (thanks linpeas) and we can use it to read files. I read the shadow file but can’t crack the hash; so I use it to get the root SSH key and SSH in as root; done.
Sumo
HTTP and SSH only. Web enumeration reveals a /cgi-bin directory so I add sh and cgi to my extensions:
Smells like shellshock?
Yep. Shell:
This box has an old kernel, and linux-exploit-suggester.sh suggests DirtyCow. This shit never works for me, but we’ll try:
HA! I’ve seen this before:
That’s better.
It appears to have hung at this point - dammit! Let’s try another login:
Well there you go, I guess it does work sometimes.