Whitelist: Sunday

SUNDAY

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Sunday, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu

2 - ENUMERATION

- Sunday's IP is 10.10.10.76:

- Scanning all ports with Nmap:

- Scanning deeply open ports we discover that Sunday is a Sun Solaris machine:

2.1 - Finger enumeration

- Let's focus our attention for now on port 79 where the service finger is running.

- There are a couple of ways of enumeration for finger usernames.

2.1.1 - finger-user-enum

- First, the Pearl script finger-user-enum:

- Once downloaded and extracted:

- Options and parameters for finger-user-enum:

- Using as wordlist the seclists file names.txt the script discovers the two users sammy and sunny:

2.1.2 - finger_users

- Second, the Metasploit module finger_users yields the same result:

2.2 - SSH enumeration

- Medusa discovers SSH password sunday for user sunny:

3 - EXPLOITATION

- Using credentials sunny:sunday to connect with SSH:

- However the SSH conection is rejected, so we need to specify the algorithm diffie-hellman-group1-sha1 for being successful:

- It is interesting to notice that user sunny has got some sudoer privileges to run the file /root/troll:

- Running /root/troll:

- Searching and listing for anything of interest:

- The directory /backup holds a backup of /etc/shadow:

- Also, /etc/passwd is accessible:

- Copying to Kali lines for user sammy and sunny:

- Unshadowing:

- Passing unshadowed file u to John The Ripper we discover password cooldude! for user sammy:

- Now, connecting to SSH with user sammy gives same problem than before, what can be solved in the previous way:

- Again, we have a low privileged remote shell:

- User sammy has got also some sudoer privileges:

4 - PRIVILEGE ESCALATION

- There are different ways of privileges escalation, let's try 3 of them.

- First, finding binaries with the SUID bit enabled: