This vulnerable machine is located at: https://www.vulnhub.com/entry/sunset-noontide,531/

What I like to do first is create a directory for this box & copy over a preset for taking notes.

Next, I looked to see my IP and the IP of the Noontide box using ip addr (tells my IP) and sudo arp-scan –localnet (tells box’s IP).

I set an IP variable using export IP="10.10.1.113". The set IP variable can always be checked by using echo $IP.

I then nmaped the target using the IP variable I set up to look at what ports are open- sudo nmap -p- -sC -sV $IP --open. “-p-“ is for scanning all ports; “-sC” is for default NSE scripts; “-sV” is for service versions; and “–open” is for filtering for only open ports.

UnrealIRCd is the only port(s) open and I have seen exploits for this before. So, I started up Metasploit using msfconsole. I then did search UnrealIRCd, which brought up IRCd exploits. I then did use 0.

Now, show options and set the RHOSTS.

Don’t try to run the exploit just yet, as you still need to set a payload. I did show payloads to view the possible payload options and then did set payload 1. I also set the LHOST just to be safe.

I then ran the exploit using exploit, and once it finished, checked for the python version.

Upon verifying there was only python3 installed, I ran python3 -c 'import pty;pty.spawn("/bin/bash")' to get a bash-looking shell.

I went down many routes (enumerating and checking the system) before attempting to switch to root. I tried default credentials for root, including the password “toor” (a common password for root on servers). After trying several combinations, and almost trying to go a different route, I tried using the password “root” and it worked.

Now that I am root, I did cd /root and ls -lsa to view what was inside the folder. There was a file named “proof.txt”. When I did cat proof.txt, it gives a flag as the proof.

The end!

It is very easy to get caught going down rabbit holes, when it could be just as simple as switching with default credentials (the most obvious choice). We get so used to trying to find the difficult solutions sometimes and forget to do the obvious first.