offsec

SunsetDecoy OffSec Walkthrough

INFOXIDE
3 Min Read
SunsetDecoy OffSec Walkthrough

SunsetDecoy OffSec Walkthrough: Today we are going to solve another boot2root challenge called “Sunset: decoy”.  It’s available at Vulnhub and OffSec for penetration testing. This is easy for the intermediate level lab. Let’s start and learn how to break it down successfully.

Contents
Penetration Testing MethodologyWalkthroughReconnaissanceEnumerationExploitingPrivilege Escalation (root)

Level: Easy/Intermediate

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Web server backup

Exploiting

  • Zip2john & John The Ripper

Privilege Escalation

  • Pspy64
  • Crontab abuse and chkrootkit vulnerability

Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

netdiscover

To work more comfortably, I’ll put the IP address in /etc/hosts.

add on /etc/hosts file

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC -p- 192.168.10.186
nmap scan

Enumeration

We access the web service and download the file “save.zip“.

got file

We tried to unzip the file, but it’s password protected.

unzip save file

For this mission, we will use “zip2john” which will help us to extract the hash from the .zip file and later we will attack it with “John The Ripper” and the dictionary “rockyou.txt“. We will obtain the password “manual” and use it to decompress the file, this time with success.

john crack

Exploiting

In the content of the .zip, we found a backup of several system files. We read the “shadow” file, copy the two hashes into a file called “users.hash” and crack this one with John The Ripper and the “rockyou.txt” dictionary.

user pass

We connect through the SSH service, this time we will add -t “bash –noprofile” to escape from the restricted bash. In there, we will read the user flag.

ssh bash restricted

Privilege Escalation (root)

We listed the files and found a binary called “honeypot.decoy“. We run it, use option 5 and see a warning that it will run in a minute.

honeypot

It is time to run pspy64, we check that a binary is running as root every 60 seconds.

ps exploit

We looked for information about the version of this binary and found an exploit that allows to scale privileges as root.

exploit db

Simply create a file called “update” and insert a reverse shell. We will give it execution permissions and wait 60 seconds with a netcat listening on port 4444 in our Kali.

exploit

After some time, we will have a session as root and we will be able to read the flag.

root flag

Finally this lab solve see you on next lab 😉

Also Read | Lampiao OffSec Walkthrough

TAGGED:
Share This Article
Previous Article Lampiao OffSec Walkthrough Lampiao OffSec Walkthrough
Next Article DriftingBlues6 OffSec Walkthrough DriftingBlues6 OffSec Walkthrough
Infoxide Security Live Hacking Workshop
Infoxide Security Certifications
infoxide Security telegram channel

Trending News🔥