Thursday, March 21, 2019
Sunday
SUNDAY
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Sunday, what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Sunday's IP is 10.10.10.76:
- Scanning all ports with Nmap:
- Scanning deeply open ports we discover that Sunday is a Sun Solaris machine:
2.1 - Finger enumeration
- Let's focus our attention for now on port 79 where the service finger is running.
- There are a couple of ways of enumeration for finger usernames.
2.1.1 - finger-user-enum
- First, the Pearl script finger-user-enum:
- Once downloaded and extracted:
- Options and parameters for finger-user-enum:
- Using as wordlist the seclists file names.txt the script discovers the two users sammy and sunny:
2.1.2 - finger_users
- Second, the Metasploit module finger_users yields the same result:
2.2 - SSH enumeration
- Medusa discovers SSH password sunday for user sunny:
3 - EXPLOITATION
- Using credentials sunny:sunday to connect with SSH:
- However the SSH conection is rejected, so we need to specify the algorithm diffie-hellman-group1-sha1 for being successful:
- It is interesting to notice that user sunny has got some sudoer privileges to run the file /root/troll:
- Running /root/troll:
- Searching and listing for anything of interest:
- The directory /backup holds a backup of /etc/shadow:
- Also, /etc/passwd is accessible:
- Copying to Kali lines for user sammy and sunny:
- Unshadowing:
- Passing unshadowed file u to John The Ripper we discover password cooldude! for user sammy:
- Now, connecting to SSH with user sammy gives same problem than before, what can be solved in the previous way:
- Again, we have a low privileged remote shell:
- User sammy has got also some sudoer privileges:
4 - PRIVILEGE ESCALATION
- There are different ways of privileges escalation, let's try 3 of them.
- First, finding binaries with the SUID bit enabled:
- Let's pick up these two files:
4.1 - pfexec
- pfexec executes the command bash and the result is a root shell:
4.2 - Msfevnom
- Generating a payload:
- Transferring exploit.elf from Kali to Sunday and outputting to /usr/bin/rsh:
- Setting a Netcat listening session:
- Running /usr/bin/rsh a shell with euid=0(root) is achieved:
4.3 - wget --post-file
- The command wget allows the --post-file HTTP option, what sends the content of any file using the POST method:
- Setting a Netcat session at port 80:
- Sending /root/root.txt from Sunday to Kali:
- The root.txt flag shows up at Kali:
5 - CAPTURING THE FLAG
- Also, reading root.txt: