Sunday: Hack the Box Write-Up
Networked, an Easy-rated machine, is one of my least favorite machines on Hack the Box. This is mostly due in part to the response time of the machine and it timing out for reasons I can only assume are tied to it running SunOS. A foothold is found by brute forcing SSH and privilege escalation comes from racing against a cron job to execute a binary, which to my counting, took 7 tries of running because of how unresponsive the machine became.
Initial nmap scans took several times for me to run and fully complete. The initial scan showed dozens of high ports open on the machine, so it took several times of rerunning it to become accurate. Here's what we saw from the initial nmap scan:
# Nmap 7.80 scan initiated Tue Aug 18 22:28:45 2020 as: nmap -sC -sV -Pn -oN sunday.nmap 10.10.10.76 Nmap scan report for 10.10.10.76 Host is up (0.032s latency). Not shown: 974 closed ports PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: No one logged on\x0D 111/tcp open rpcbind 2-4 (RPC #100000) 425/tcp filtered icad-el 444/tcp filtered snpp 646/tcp filtered ldp 911/tcp filtered xact-backup 1072/tcp filtered cardax 1247/tcp filtered visionpyramid 1658/tcp filtered sixnetudr 2607/tcp filtered connection 3071/tcp filtered csd-mgmt-port 3390/tcp filtered dsc 3995/tcp filtered iss-mgmt-ssl 4002/tcp filtered mlchat-proxy 4126/tcp filtered ddrepl 4662/tcp filtered edonkey 5962/tcp filtered unknown 7070/tcp filtered realserver 7443/tcp filtered oracleas-https 8031/tcp filtered unknown 8045/tcp filtered unknown 9100/tcp filtered jetdirect 31337/tcp filtered Elite 49153/tcp filtered unknown 49167/tcp filtered unknown 52848/tcp filtered unknown Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
...versus what can be seen when scanning against all ports:
# Nmap 7.80 scan initiated Tue Aug 18 22:34:21 2020 as: nmap -sC -sV -Pn -p- -oN sunday-full.nmap 10.10.10.76 Warning: 10.10.10.76 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.76 Host is up (0.070s latency). Not shown: 63954 closed ports, 1576 filtered ports PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: ERROR: Script execution failed (use -d to debug) 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) 36336/tcp open rpcbind 44795/tcp open unknown Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Aug 19 12:27:26 2020 -- 1 IP address (1 host up) scanned in 49984.67 seconds
I have no idea what happened, but if anything, it can teach us the value of verifying what is head and not always taking what tools show us as gospel. I personally have never interacted with SunOS, so this was a new experience for me; this link proved the most helpful for enumerating and understanding what it can and can't do, deserving a permanent bookmark in my browser.
After some digging, we can do simple enumeration on the users verified within the operating system by issuing the following command:
perl finger-user-enum.pl -u /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
After some time, we notice two users that stick out to us: sammy and sunny. Armed with this information, the only other port that appears to be open for us to test against is SSH. Performing brute forcing against SSH will eventually show a password of "sunday" for the sunny user (I would include this, but it took 4 tries over 2 days to get this and I was not in the mood to capture a PoC). When trying to SSH to verify this claim, we get an error about specific key exchanges not being supported. After making the appropriate changes we are greeted with the following:
Now that we have access, we can do some simple enumeration. Issuing a "sudo -l" command reveals sunny can run a program by the name of /root/troll, and running it outputs the response to the command "id".
Moving to other parts of the box, we notice a non-standard directory called /backup, containing two files, with one of them named shadow.backup. If we cat this file, we are greeted with the following:
With this information, we can use hashcat on our local machine to crack these passwords against the rockyou.txt dictionary relatively quickly by using the following command:
hashcat -m 7400 shadow /usr/share/wordlists/rockyou.txt
Now that we have a credential set of sammy:cooldude!, we can SSH into the machine (which is highly recommended for the next method). When a connection is established, the same "sudo -l" command shows we have access to wget, leading us down the path of creating our own troll file, using wget with sammy to place it into /root, and executing it with the sunny user. On our local machine, we can create our own troll file with the following contents:
Yes, that is really all it takes. If you can successfully get the remote file as sammy and execute it as sunny, here is what we can see as expected output: