Welcome back on Exploitnetworking! Today we’ll see the writeup of Hack The Box Sunday machine. This box was been really easy because with a simple nmap and with some enumerations you can enter in server, after that with some tricks you can get root user.
The first step is a simple nmap scan for see which services there are in the machine:
How we can see there are two port: 79 with finger service, this is the finger daemon on Solaris system, this service determines what users are currently logged in the system, and we can see that in this moment there are three users logged in: two users with sammy account and one user with sunny account.
If there isn’t any users, we can enumerate them using this tool: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum.
Let’s continue our enumeration. Try now to use nmap for enumerate all ports of the system:
We can see that there is ssh service on port 22022:
Then try now to use sunny or sammy for login with ssh. First try with sunny with a simple password as sunday because sunday is the name of the machine:
Ok! We are in the system as sunny! Try now to get root or sammy account. If we change directory in / we can see that there is an interesting directory called backup, in this directory there is a backup file of shadow that is readable:
in this file there are the hash of passwords of sammy and sunny! Let’s try to crack the sammy hash password:
Save this in a file and pass it to john:
after some minutes john found a match with cooldude!. Try to use it with ssh and sammy account:
Oh yes, we are sammy! Now try to get root account. If we type sudo -l we can see this output:
We can run wget as root without password! The idea is:
- Create a new shadow file in our local machine with a new entry for root password
- Upload and replace shadow file
- Login as root with our password
Create a new password in our local machine:
where “password” is our password for root user and “$1$xyz$cEUv8aN9ehjhMXG/kSFnM1” is the hash for shadow file. Insert a new entry in our shadow file:
then, now upload this shadow file with wget, and save it in /etc. In local create a SimpleHTTPServer:
And on server:
Now we are root with password “password”.