Thursday, March 21, 2019

Sunday


SUNDAY

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Sunday, what is a retired machine from the Hack the Box pentesting platform:


https://www.hackthebox.eu



2 - ENUMERATION


- Sunday's IP is 10.10.10.76:





- Scanning all ports with Nmap:




- Scanning deeply open ports we discover that Sunday is a Sun Solaris machine:






2.1 - Finger enumeration

- Let's focus our attention for now on port 79 where the service finger is running.


- There are a couple of ways of enumeration for finger usernames.

2.1.1 - finger-user-enum

- First, the Pearl script finger-user-enum:



- Once downloaded and extracted:





- Options and parameters for finger-user-enum:





- Using as wordlist the seclists file names.txt the script discovers the two users sammy and sunny:








2.1.2 - finger_users


- Second, the Metasploit module finger_users yields the same result:





2.2 - SSH enumeration

- Medusa discovers SSH password sunday for user sunny:





3 - EXPLOITATION

- Using credentials sunny:sunday to connect with SSH:




- However the SSH conection is rejected, so we need to specify the algorithm diffie-hellman-group1-sha1 for being successful:







- It is interesting to notice that user sunny has got some sudoer privileges to run the file /root/troll:




- Running /root/troll:




- Searching and listing for anything of interest:




- The directory /backup holds a backup of /etc/shadow:







- Also, /etc/passwd is accessible:




- Copying to Kali lines for user sammy and sunny:



- Unshadowing:




- Passing unshadowed file u to John The  Ripper we discover password cooldude! for user sammy:





- Now, connecting to SSH with user sammy gives same problem than before, what can be solved in the previous way:







- Again, we have a low privileged remote shell:




- User sammy has got also some sudoer privileges:





4 - PRIVILEGE ESCALATION

- There are different ways of privileges escalation, let's try 3 of them. 

- First, finding binaries with the SUID bit enabled:




- Let's pick up these two files:






4.1 - pfexec

- pfexec executes the command bash and the result is a root shell:




4.2 - Msfevnom


- Generating a payload:




- Transferring exploit.elf from Kali to Sunday and outputting to /usr/bin/rsh:







- Setting a Netcat listening session:




- Running /usr/bin/rsh a shell with euid=0(root) is achieved:




4.3 - wget --post-file

- The command wget allows the --post-file HTTP option, what sends the content of any file using the POST method:






- Setting a Netcat session at port 80:





- Sending /root/root.txt from Sunday to Kali:



- The root.txt flag shows up at Kali:



5 - CAPTURING THE FLAG

- Also, reading root.txt: