Sunday | Write-Up
Summary
Sunday, an Easy-rated machine, is one of my least favorite machines on Hack the Box. This is mostly due in part to the response time of the machine and it timing out for reasons I can only assume are tied to it running SunOS. A foothold is found by brute forcing SSH and privilege escalation comes from racing against a cron job to execute a binary, which to my counting, took 7 tries of running because of how unresponsive the machine became.
Enumeration
Initial nmap scans took several times for me to run and fully complete. The initial scan showed dozens of high ports open on the machine, so it took several times of rerunning it to become accurate. Here's what we saw from the initial nmap scan:
Nmap 7.80 scan initiated Tue Aug 18 22:28:45 2020 as: nmap -sC -sV -Pn -oN sunday.nmap 10.10.10.76
Nmap scan report for 10.10.10.76
Host is up (0.032s latency).
Not shown: 974 closed ports
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind 2-4 (RPC #100000)
425/tcp filtered icad-el
444/tcp filtered snpp
646/tcp filtered ldp
911/tcp filtered xact-backup
1072/tcp filtered cardax
1247/tcp filtered visionpyramid
1658/tcp filtered sixnetudr
2607/tcp filtered connection
3071/tcp filtered csd-mgmt-port
3390/tcp filtered dsc
3995/tcp filtered iss-mgmt-ssl
4002/tcp filtered mlchat-proxy
4126/tcp filtered ddrepl
4662/tcp filtered edonkey
5962/tcp filtered unknown
7070/tcp filtered realserver
7443/tcp filtered oracleas-https
8031/tcp filtered unknown
8045/tcp filtered unknown
9100/tcp filtered jetdirect
31337/tcp filtered Elite
49153/tcp filtered unknown
49167/tcp filtered unknown
52848/tcp filtered unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
...versus what can be seen when scanning against all ports:
Nmap 7.80 scan initiated Tue Aug 18 22:34:21 2020 as: nmap -sC -sV -Pn -p- -oN sunday-full.nmap 10.10.10.76
Warning: 10.10.10.76 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.76
Host is up (0.070s latency).
Not shown: 63954 closed ports, 1576 filtered ports
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
|_finger: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
36336/tcp open rpcbind
44795/tcp open unknown
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 19 12:27:26 2020 -- 1 IP address (1 host up) scanned in 49984.67 seconds
I have no idea what happened, but if anything, it can teach us the value of verifying what is head and not always taking what tools show us as gospel. I personally have never interacted with SunOS, so this was a new experience for me; this link proved the most helpful for enumerating and understanding what it can and can't do, deserving a permanent bookmark in my browser.
After some digging, we can do simple enumeration on the users verified within the operating system by issuing the following command:
perl [finger-user-enum.pl](http://finger-user-enum.pl) -u /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
Foothold
After some time, we notice two users that stick out to us: sammy and sunny. Armed with this information, the only other port that appears to be open for us to test against is SSH. Performing brute forcing against SSH will eventually show a password of "sunday" for the sunny user (I would include this, but it took 4 tries over 2 days to get this and I was not in the mood to capture a PoC). When trying to SSH to verify this claim, we get an error about specific key exchanges not being supported. After making the appropriate changes we are greeted with the following:
Now that we have access, we can do some simple enumeration. Issuing a "sudo -l" command reveals sunny can run a program by the name of /root/troll, and running it outputs the response to the command "id".
Moving to other parts of the box, we notice a non-standard directory called /backup, containing two files, with one of them named shadow.backup. If we cat this file, we are greeted with the following:
With this information, we can use hashcat on our local machine to crack these passwords against the rockyou.txt dictionary relatively quickly by using the following command:
hashcat -m 7400 shadow /usr/share/wordlists/rockyou.txt
Privilege Escalation
Now that we have a credential set of sammy:cooldude!, we can SSH into the machine (which is highly recommended for the next method). When a connection is established, the same "sudo -l" command shows we have access to wget, leading us down the path of creating our own troll file, using wget with sammy to place it into /root, and executing it with the sunny user. On our local machine, we can create our own troll file with the following contents:
#!/bin/bash
/bin/bash
Yes, that is really all it takes. If you can successfully get the remote file as sammy and execute it as sunny, here is what we can see as expected output: