Easy/Intermediate (May variate depending on your background)
It is recommended to run this machine in Virtualbox.
This works better with VirtualBox rather than VMware
Okay let’s see what we can do with this.
VMWare vs VirtualBox
I run Kali in VMWare but I do have VirtualBox too. I downloaded the file as the .7z archive and unzipped it, then imported the applicance into VirtualBox. For networking it defaults to Bridged Mode and that works okay; I check my router for DHCP leases and get the IP - 192.168.1.76.
The banner says it’s Debian GNU/Linux 10 twilight tty1. Running a ping on the IP gives a TTL of 128; not sure what’s up with that.
So we’ve got quite a selection of ports:
- 22/tcp open ssh syn-ack ttl 128
- 25/tcp open smtp syn-ack ttl 128
- 80/tcp open http syn-ack ttl 128
- 139/tcp open netbios-ssn syn-ack ttl 128
- 445/tcp open microsoft-ds syn-ack ttl 128
- 2121/tcp open ccproxy-ftp syn-ack ttl 128
- 3306/tcp open mysql syn-ack ttl 128
- 8080/tcp open http-proxy syn-ack ttl 128
- 63525/tcp open unknown syn-ack ttl 128
We’ll probably need some more details on those, so I kick off a detail scan. In the meantime…
Port 2121 is FTP and anonymous login is allowed but there is nothing interesting in the directory and we can’t move around, so that’s not very useful.
SMB anonymous login is allowed, so we can poke around the server:
We should check out that WRKSHARE folder.
root@kali:/opt/vulnhub/twilight# smbclient \\\\192.168.1.76\\WRKSHARE
This is actually the server root (assuming we’re not in a container), so that’s nice. I get /etc/passwd and can see we have a user called miguel in /home, but we can’t read his directory. Checking /var/www/html we can poke around the files that make up the website on port 80, and there is an upload function in http://192.168.1.76/gallery/ - maybe we can use this for a shell?
Sure enough we can upload a PHP shell as shell.jpeg through the web interface on port 80, then rename it via the SMB connection to shell.php. From there we can access it via http://192.168.1.76/gallery/original/shell.php and get a reverse shell back to our attack machine.
As usual I ran linpeas, and it highlighted that /etc/passwd was writeable, along with some other interesting things. I’m guessing there are a few paths to root on this box. Anyway, with a writeable passwd file, we can add a new user with a new password using this technique from stackexchange.
Let’s try it out, and we’ll even use his ‘mrcake’ password suggestion:
Boom. There is a flag in /root/root.txt, but there’s nowhere to submit it so it doesn’t really matter.
I haven’t been writing much lately, been stuck on some intermediate stuff on TryHackMe and not moving forward much. I did complete the ‘Git Happens’ room though, which was a very straightforward enumeration of a git repo to find some credentials. I also completed OpenKeyS on HackTheBox but I’m not allowed to write that up just yet. I’ve never bothered writing up a HTB machine yet, since I’ve moved on by the time they become inactive. Maybe one day.