sunset:twilight Vulnhub Walkthrough

Another walk-through for this day

Box _Name => sunset:twilight

Method => 1

Date : Friday 31 July 2020 Time : 20:41

Walkthrough

IP of the target => 192.168.1.184

As usual I started with nmap scan to find open ports and services uing the command

nmap -sC -sV -Pn -p- -T4 --max-rate=1000 -o nmap.txt 192.168.1.184

there are so many open ports (screenshot is incomplete)

I started enumeration from port 139 and 445 using enum4linux tool to check for the SMB shares

enum4linux 192.168.1.184

I tried accessing it anonymously and succeed :)

I started to enumerate different locations and found found that we can upload files in /var/www/html/ directory , so after wasting sometime I decided to upload a php reverse shell using the command

PUT shell.php

next I executed this script using the URL <taregt-ip>/shell.php and got the shell as user www-data

after spending some time with the box I found that /etc/passwd is writable

and that's it , edit the file locally in my system and uploaded it using wget with flag -O and then I got root access

Not showing How I edited the /etc/passwd file , search it on the internet you will find many website demonstrating this process
HINT:openssl

There is one more method that is bypassing the file upload restriction by changing the MIME type , Hope you like the walkthrough :)