CTF Walkthroughs, Hack The Box

Hack The Box – Sunday Walkthrough

March 19, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Solaris machine that required enumerating users in the Finger service to identify the sunny user, bruteforcing it with Hydra to authenticate via SSH, cracking a user hash found in a backup folder to escalate to the sammy user and exploiting the SUID permission set against Wget to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

From the initial scan, it can be identified that the Finger service is available, Finger is a protocol that can be used to obtain information about users logged into a remote host or network device. Performing another Nmap scan using the -p- flag to probe all ports:

This latest scan has identified that port 22022 is open, which upon further inspection will show that it is being used by SSH.

Enumerating Finger

Starting MSFconsole, searching for modules related to Finger, selecting the auxiliary/scanner/finger/finger_users module, setting the RHOSTS based on the target system and the user wordlist baed on the named.txt wordlist that comes with SecLists. Running the module:

A “sunny” user was found by the finger_users module, which could be used to bruteforce SSH credentials since it is running on port 22022.

Bruteforcing SSH Credentials

Using hydra to bruteforce the password, using the following flags:

  • -f to stop the attack when a valid password is found
  • -s to specify the port to target for the bruteforce attack
  • -l to specify the username for the bruteforce attack
  • -P to specify the wordlist to use for the bruteforce attack
  • the service and target to bruteforce

It appears the password for sunny is “sunday”. Authenticating to the target box using SSH on port 22022 as the “sunny” user:

Privilege Escalation

Viewing common files and directories, a “backup” folder is identified in the root directory

It appears the backup directory contains a backup of the /etc/shadow file, a password hash for the “sammy” user can be found:

Adding the hash to a text file and using John the Ripper with the following flags to crack the previously found hashes:

  • –wordlist to specify the wordlist to be used, in this case rockyou
  • the text file containing the hashes, one per line

It appears the password for the sammy user is “Cooldude!”. Using the su command to switch to the sammy user. Running sudo -l to see whether the current user can execute commands as root, it looks like it can execute Wget:

This can be exploited as when Wget downloads a file remotely, the original permissions of the file are kept. Creating a script that will generate SUID copy of the /bin/bash binary on the local Kali host:

Downloading the file remotely using Wget, specifying the URL and file to save it as:

Executing the script:

After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host: