Machine Creator: ch4p
First, we start with full port nmap scan and discover port 79 TCP Finger.
The finger service allows us to view users that are currently logged in.
Currently, there are no users logged in.
We can enumerate users through finger using a Perl script by pentestmonkey.
2 discovered users have logged in the past Sammy and Sunny they have login timestamps of April 24 from IP 10.10.14.4
Alternatively, we can run finger enumeration through Metasploit.
After conducting a more in-depth Nmap scan, we can see that ssh is running on port 22022.
SSH Brute force
Now that we have possible usernames we need to discover their passwords. Generally for SSH brute forcing hydra can be used however due to the age of this machine a different tool is required Patator. Patator was able to brute force ssh and discovered sunny’s password as “sunday.”
While attempting to log in through SSH, there was an error for “no matching key exchange method found” the key exchange method had to be specified.
After looking around, I was able to locate the user.txt file in Sammy’s desktop however sunny does not have permission to access the file.
After searching through directories I came across a backup directory with two files one of them turned out to be a backup of the Linux shadow file with the password hashes.
After running both Linux password hashes through Hashcat, we are given the passwords as “sunday” and “cooldude!”
Windows version of Hashcat used for graphics card acceleration.
Logged in as user Sammy using password “cooldude!”.
After logging in as Sammy, we can read the user.txt file and get the key.
If we try to elevate to root as Sunny, we can run a file /root/troll.
If we try to elevate to root as Sammy, we can run wget.
Since we know, we can download using wget as root, and we can execute /root/troll as root we can execute an elevated reverse shell.
We can serve the custom troll file from our local computer using python SimpleHTTPServer and then download troll as Sammy.
In the troll file, I’ve included a python reverse shell script.
And now after running “sudo /root/troll” as Sunny, we now have a reverse shell as root.
With root access, we can now view the contents of the root.txt