Sunset: Twilight Vulnhub Walkthrough

Ctf Challenges
0

Hey folks, today we going to solve another Vulnhub Walkthrough. The vulnerable machine is available on vulnhub which you can download from here. More information about the machine is given below.

VM Details

Name: sunset: twilight
Author: whitecr0wz

Lets do it 🙂 !!

We start the reconnaissance and find the target host machine IP address by using the “netdiscover” command.

After getting the IP address we start the port scanning by nmap tool.

Most of the time the flags and clues are hidden in the directory so we start fuzzing with the dirb tool. We found some useful location by perform fuzzing.

This location allow us to upload “jpeg” extension file but we will try to upload our malicious php file into the server.

First we create a php backdoor by using the msfvenom.

We start the burpsuite, capture the request and send it in intercept mode to investigate the response. We received a error while uploading malicious php file to server.

We send the request again by manipulating the “content-type” option and it uploads successfully.

Got it ! copy the request, paste on proxy section and forward the request to the server.

We don’t know where the file will be uploaded, then we come back to our terminal and check the fuzzing list again. We find another link that contains the uploaded files.

We got our uploaded file and for getting the shell of the web server we click this php file as well as start the nc listener in our terminal.

We access the host machine and see that the password file is allowed to read, write and execute.

We cannot be execute the adduser command on the host machine ,therefore we add the user with root privileges on the passwd file but we need to give the password of the user so for that purpose. we use the openssl tool to generate an encrypted password with salt. After do all this we add user into the /etc/passwd file with following command.
Note 🙂 you can use the same given commands.

We authentication successfully as shivam user.

We reach the root directory where we get our root flag.

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

Leave a Reply

× How can I help you?
Share via
Copy link
Powered by Social Snap
%d bloggers like this: