Sunset-Midnight-Ctf-Walkthrough 🌄

Published in

InfoSec Write-ups

5 min readJul 4, 2021

Today we are going to solve another boot2root challenge called “Sunset: Midnight”. It’s available at VulnHub for penetration testing. Here I Shreya Talukdar am presenting sunset midnight ctf walk through. Let’s get started and learn how to successfully break it down.

🐞 Penetration Testing Methodology

Reconnaissance

▪️ Nmap

Enumeration

▪️Hydra brute force MySQL service

Exploiting

▪️ WordPress administrator’s password change
▪️ Modification of code to build a web shell

Privilege Escalation

😎Misuse of recycled passwords
😎Binary abuse without fixed load path
😎 Capture the flag

Usage !!

👻 With the use of nmap

-sn 192.168.0/24

we first see the networks connected to the host. It is basically a ping scan
👻 After we get the vm’s ip(the vulnerable machine) we perform an aggressive scan with

nmap -A

👻 After that, We add the IP address and the “sunset-midnight” host to our “/etc/hosts” as indicated by the creator of the machine in the description. Like in my case:

192.168.43.91 sunset-midnight

👻 Then we enumerate the target and see that its in WordPress

Let’s start by running nmap with OS detection, software versions, scripts and traceroute

nmap -A 192.168.43.72

We add the IP address and the “sunset-midnight” host to our “/etc/hosts” as indicated by the creator of the machine in the description.

Enumeration

We access the web service and find a site developed with the CMS WordPress.

Let’s scan it through WPSscan.

Let’s try to get the admin login credentials by bruteforce method using the default wordlist in kali i.e, /usr/share/wordlists/rockyou.txt :

So, now let’s get logged in to mysql database:

As it can be seen we successfully logged in to mysql database with password “robert”

Let’s select wordpress_db and list out the tables:

Let’s list the content to wp_users:

Let’s update the admin password so that we can successfully login:

We updated the hashed form of the word “password” and hence we successfully logged in. Username: admin password: password :D

Now we need to edit shell.php file . Redit the ip as the ip of your base os, kali i.e 192.168.43.104 (for me) and port as 9001 (as you wish).

Now we need to edit shell.php file . Redit the ip as the ip of your base os, kali i.e 192.168.43.104 (for me) and port as 9001 (as you wish)

Now lets copy the content of shell.php and try to upload it in theme editor.

Here, we can see that the file is updated successfully in the 404 template.

Now lets access the shell:

Here, we got the login credentials :)

Privilege Escalation (user “jose”)

We use the password to authenticate ourselves as the user “jose”.

Logged in successfully.

Privilege Escalation (root)

We check which files we have access to and the binary “/usr/bin/status” catches our attention. We use strings on it, we see that internally it calls the binary “service” but without indicating the path of origin, this would allow us to create a malicious “service” file and thus be able to change our PATH to execute it. So let’s put it into practice, we create a file in the “tmp” folder with the name “service”, we introduce the sequence “/bin/sh”, we execute the binary of “/usr/bin/status” and we get a shell as root.