Sunday — Hack the Box
This box is very slow. However one has to deal with such boxes in real life, so tweak the tools where we can use them to deal with such boxes.
Let’s start with reconnaissance
Ran general nmap:
nmap -sV -sC -oA general 10.10.10.76
- sV = for service version detection, -sC = run default scripts and -oA=generate all type of outputs.
- it gave two open ports filter(79) and rpcbind(111) are open.
Tried enumerating users from finger as firstname.lastname@example.org
so tried finger user enum script, https://github.com/pentestmonkey/finger-user-enum
For that I used seclists to have usernames list https://installlion.com/kali/kali/main/s/seclists/install/index.html and ran enumeration script but tweaked options of worker processes and wait for reply as below:
We know that above users present in the host but after that not sure what to do with them , so checked any exploits present for rpcinfo, but no success.
Because of this I had to revisit to nmap for any services not running on default ports as below:
nmap -p- -oA full-noscripts 10.10.10.76 -T5
After I found more ports so now I ran nmap service detection on only these ports as below:
Observe ssh is running on port 22022.
so lets run hydra on it with the usernames we found, As the name is sunday of the box, just thought of running sunny first as it rhymes
hydra -l sunny -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.76:22022 -V -t 64
Observe hydra gave the password, so lets login using the password to the machine. But observe the server needs different algorithm, provide that algorithm and ssh to server as below:
but users.txt is present in sammy profile and sunny does not have access to it. So ran hydra against sammy(but no use) and trying to privilege escalate of sunny to root or some other.
for that wgetting the linuxenum.sh file. Ran the file but it didn’t gave much information. ran sudo -l and saw that the /root/troll can be executed with root privileges. So created a file in kali and tried to wget.
But as seen in below screenshot, sunny does not privileges to edit troll via wget, and its a dead end.
So thought of looking clues starting from / folder.
there is a folder backup, where shadow backup has read permissions for everyone.
Observe the sunny hash, use john the ripper on it with general rockyoutxt.
Ssh to the server as sammy. check if any sudo scripts are present.
try wgetting the troll file in the sammy login and run sudo /root/troll in sunny login and boom we got root creds and root flag.