HomeGitHubPortfolio Twitter/X Medium Cont@ct

Sunday

https://www.hackthebox.com/machines/sunday

🔗 Sunday

@hackthebox.com
About

Machine Description

Sunday is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.

Area of Interest

Enterprise Network Protocols Vulnerability Assessment Authentication

Technology

SSH Finger

Vulnerabilities

Weak Credentials Misconfiguration

Security Tools

Nmap Zenmap John finger-user-enum

Techniques

Reconnaissance User Enumeration Password Cracking Brute Force Attack SUDO Exploitation

Task 0 - Deploy machine

🎯 Target IP: 10.129.237.18

Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.

Task 1 - Reconnaissance

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

Sending these three ICMP packets, we see that the Time To Live (TTL) isn't 64 or 128 secs. This is a little strange and googling we can see that our target is a Solaris OS system.

1.1 - Which open TCP port is running the finger service?

Let's start right away with an active port scan with nmap

command
result

sT

TCP connect port scan (Default without root privilege)

sC

Run default scripts

sV

Enumerate versions

vvv

Verbosity

T4

Run a bit faster

oN

Output to file with nmap formatting

It looks like there are 5 open TCP ports on the machine: 79, 111, 515, 6787, 22022.

Then, we can proceed to analyze services active on open ports:

Good, finger protocols was found, while we can see another two interesting services actives: webserver on port 6787 and OpenSSH on port 22022.

Browsing it: https://sunday.htb:6787/ we see a Solaris login page:

Login bypass unfortunaly doesn't work and we don't obtained great info via whatweb.

We can follow HTB questions that can help us to take the correct via.

Default TCP port 79 is running the finger service.

79

1.2 - How many users can be found by enumerating the finger service? Consider only users who shows a pts?

How finger service works?

The Finger program/service is utilized for retrieving details about computer users. Typically, the information provided includes the user's login name, full name, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the user, and the contents of the user's plan and project files.

Logo79 - Pentesting Finger - HackTricksbook.hacktricks.xyz

The best way to learn one thing is to improve yourself and develop your own tools, so I did and created the following tool in python that allows us to enumerate the users of the system using a dictionary attack with a common wordlist.

LogoGitHub - dev-angelist/Finger-User-Enumeration: Python script to enumerate users on protocol fingerGitHub

excluding the root user, there are two users listed: sammy and sunny.

2

Task 2 - Find User Flag

2.1 - What is the password for the sunny user on Sunday?

We can use brute force tool like as Hydra to try to found sunny's password. We can do a tentative via SSH/22022 protocol.

Fantastic, here is our password, which honestly we could have even tried to guess.

sunday

2.2 - What is the password for user sammy on the box?

Using again Hydra we don't obtain results, then we can try to login via ssh into sunny user.

Here we find the folders of the two users, but without any valuable information about the password.

In sammy's folder there is the bash history, so let's try to check if there were any passwords written incorrectly in clear text.

No results.

Fortunately, investigating a bit, we find in the path /backup the file shadow.backup, containing the backup of the file /etc/shadow and therefore of the hashes of the users.

So we save the sammy's hash and launch john or hashcat to crack it.

Well done!

cooldude!

2.3 - Submit the flag located in the sammy user's home directory.

Now that we also know sammy's password, we can ssh in and get the flag easily.

🚩 Flag 1 (user.txt)

db7749ca1b003cf371c1f2afed38f834

Task 3 - Find root flag

3.1 - What is the full path of the binary that user sunny can run with sudo privileges?

Executing sudo -l command we can commands that user puma can execute with sudo privileges:

/root/troll

3.2 - What is the complete path of the binary that user sammy can run with sudo privileges?

Same thing, sudo -l command and it's done!

/usr/bin/wget

3.3 - Submit the flag located in root's home directory.

The previous two tasks are the prelude to privilege escalation, let's checking them!

sammy

  • /root/troll

Not knowing "troll" which I imagine is an ironic name, we focus on the usual wget.

sunny

  • /usr/bin/wget

As always, the wget bible has a solution for privilege escalation with sudo.

Logowget | GTFOBinsgtfobins.github.io
🚩 Flag 2 (root.txt)

c4fc01d4944cf3925f079da70abdaea7

PreviousSauNextCap

Last updated