, ,

Sunset : Decoy



  • Use fcrackzip to get password for the zipfile
  • Unshadow files to get password hash
  • Crack the hash
  • Bypass restrictive shell
  • Observe the AV
  • Find exploit for chrootkit to gain root access


Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

Let’s download the save.zip file form the webserver. However it is password protected. Use fcrackzip to get the password.

The zip file contains a /etc/ folders that has the following.

Contains hashes and information about the machine.

Let’s crack the shadow file.

Since there is both the passwd and shadow file we can unshadow and run john on it.

Found a user password.

However this user looks suspicious and from accessing it it seems to be a honeypot with very little privileges.

The user is limited with a restricted shell. We need to bypass it.


Use the following ssh command to bypass the shell.

ssh 296640a3b825115a47b68fc44501c828@ -t "bash --noprofile"
We need to use the full path for cat to work to get the user.txt flag.

Let’s run the honeypot file.

Use the AV scan option.

After exploring the rest of the directories we are able to find a log file.

The chkrootkit is executed during the AV scan.

It gives the version too.

Privilege escalation

Search exploit db for an exploit of this version.

Instructions are given.

Create an update file and insert a nc reverse shell to your attacking machine.

use /usr/bin/chmod +x update

Start a nc listner an root access is gain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: