[HTB] Sunday10 min read

Welcome back on Exploitnetworking! Today we’ll see the writeup of Hack The Box Sunday machine. This box was been really easy because with a simple nmap and with some enumerations you can enter in server, after that with some tricks you can get root user.

The first step is a simple nmap scan for see which services there are in the machine:

Copy to Clipboard

How we can see there are two port: 79 with finger service, this is the finger daemon on Solaris system, this service determines what users are currently logged in the system, and we can see that in this moment there are three users logged in: two users with sammy account and one user with sunny account.

If there isn’t any users, we can enumerate them using this tool: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum.

Let’s continue our enumeration. Try now to use nmap for enumerate all ports of the system:

Copy to Clipboard

We can see that there is ssh service on port 22022:

Copy to Clipboard

Then try now to use sunny or sammy for login with ssh. First try with sunny with a simple password as sunday because sunday is the name of the machine:

Copy to Clipboard

Ok! We are in the system as sunny! Try now to get root or sammy account. If we change directory in / we can see that there is an interesting directory called backup, in this directory there is a backup file of shadow that is readable:

Copy to Clipboard

in this file there are the hash of passwords of sammy and sunny! Let’s try to crack the sammy hash password:

Copy to Clipboard

Save this in a file and pass it to john:

Copy to Clipboard

after some minutes john found a match with cooldude!. Try to use it with ssh and sammy account:

Copy to Clipboard

Oh yes, we are sammy! Now try to get root account. If we type sudo -l we can see this output:

Copy to Clipboard

We can run wget as root without password! The idea is:

  • Create a new shadow file in our local machine with a new entry for root password
  • Upload and replace shadow file
  • Login as root with our password

Create a new password in our local machine:

Copy to Clipboard

where “password” is our password for root user and “$1$xyz$cEUv8aN9ehjhMXG/kSFnM1” is the hash for shadow file. Insert a new entry in our shadow file:

Copy to Clipboard

then, now upload this shadow file with wget, and save it in /etc. In local create a SimpleHTTPServer:

Copy to Clipboard

And on server:

Copy to Clipboard

Now we are root with password “password”.

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept
2018-10-01T09:23:08+00:00

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.