Sunday is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.
Reconnaissance User Enumeration Password Cracking Brute Force Attack SUDO Exploitation
Task 0 - Deploy machine
🎯 Target IP: 10.129.237.18
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
Task 1 - Reconnaissance
suecho"10.129.237.18 sunday.htb">>/etc/hostsmkdir-phtb/sunday.htbcdhtb/sunday.htbmkdir{nmap,content,exploits,scripts}# At the end of the room# To clean up the last line from the /etc/hosts filesed-i'$ d'/etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) isn't 64 or 128 secs. This is a little strange and googling we can see that our target is a Solaris OS system.
1.1 - Which open TCP port is running the finger service?
Let's start right away with an active port scan with nmap
We can follow HTB questions that can help us to take the correct via.
Default TCP port 79 is running the finger service.
79
1.2 - How many users can be found by enumerating the finger service? Consider only users who shows a pts?
How finger service works?
The Finger program/service is utilized for retrieving details about computer users. Typically, the information provided includes the user's login name, full name, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the user, and the contents of the user's plan and project files.
The best way to learn one thing is to improve yourself and develop your own tools, so I did and created the following tool in python that allows us to enumerate the users of the system using a dictionary attack with a common wordlist.
Fantastic, here is our password, which honestly we could have even tried to guess.
sunday
2.2 - What is the password for user sammy on the box?
Using again Hydra we don't obtain results, then we can try to login via ssh into sunny user.
sshsunny@sunday.htb-p22022
Here we find the folders of the two users, but without any valuable information about the password.
In sammy's folder there is the bash history, so let's try to check if there were any passwords written incorrectly in clear text.
cat~/.bash_history|grep"password"
No results.
Fortunately, investigating a bit, we find in the path /backup the file shadow.backup, containing the backup of the file /etc/shadow and therefore of the hashes of the users.
So we save the sammy's hash and launch john or hashcat to crack it.
