Vulnhub - SUNSET: MIDNIGHT
Introduction
Difficulty: Intermediate
Important!: Before auditing this machine make sure you add the host “sunset-midnight” to your /etc/hosts file, otherwise it may not work as expected.
This is SUNSET: MIDNIGHT from vulnhub.
Ports
This box has:
- SSH on port 22,
- HTTP on port 80, and
- MariaDB (MySQL) on 3306.
HTTP
We have one disallowed entry in robots.txt: wp-admin. So we know we’re running Wordpress.
root@kali:/opt/vulnhub/midnight# wpscan -e --url http://sunset-midnight
wpscan gets us one user admin. I start a password attack, but it’s not getting anywhere. In the meantime:
MySQL
So we quickly get some creds for MySQL, cool. We can login:
root@kali:/opt/vulnhub/midnight# mysql --host=192.168.1.119 --port 3306 -u root -p
Once we’re in we can get the admin password hash for Wordpress from wp_users:
admin:$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/
But I can’t crack it with Hashcat. Hmmm - might as well kill that wpscan password attack. There is also a mysql database with a users table, and we can find the hashes for our user root and another user jose.
jose:3AA64DAE22DBC5B7ACC28062EB18EFB7046D808C
Unfortunately I can’t crack the jose hash either!
What I can do is change the hash for admin in the wp_users table:
MariaDB [wordpress_db]> UPDATE wp_users SET user_pass = '$P$BusK8xRCOLbSKorQVUvb4/EQA.FOQj.' WHERE user_login = 'admin';
The hash above is for the password none.
Wordpress
With the password for the admin user changed, I can log in to wp-admin. Once there, I upload a new plugin in zip format that is actually a reverse shell. The unzipped version looks like this:
Once uploaded and activated, we can catch the shell and we’re on the box.
No way, Jose
I run linpeas, because I always run linpeas. Even though I could have found it myself, it gives me this:
No wonder I couldn’t crack the hash. Anyway, this is also the SSH password for jose.
Root
As jose, enumeration turns up an unusual SUID binary:
Disassembling this in Ghidra shows the main method:
When we run it, we get the message:
jose@midnight:/dev/shm$ service ssh status
-bash: service: command not found
So there is no service binary. Maybe we should make one?
Thank you whitecr0wz; I enjoyed this one.