Vulnhub - Sunset writeup
Only two ports are open and since FTP allowed anonymous login so let’s start with that.
After logging into FTP with anonymous credentials I found a file named
That file contained the hashes of some of the passwords.
➜ cat backup CREDENTIALS: office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X. datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/ sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0 sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/ space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/
After removing the
CREDENTIAL from the file I ran the file through john without any wordlist.
I got password for 3 user
sky:sky sunset:cheer14 space:space
and was able to login into SSH via
And now we can get the
I downloaded the enumeration script from my own system and then ran it to see if I can find anything interesting.
The enumeration script gave out nothing but I found out that user
sunset had some sudo priveleges.
We can run the
ed binary as root.
I searched the
ed binary on gtfobins and found gtfobins/ed.
I was able to get the root shell with the following commnad:
$ sudo -u root ed !/bin/sh
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.