Sunday
Reconnaissance: NMAP
-sC: run default nmap scripts -sV: detect service version -O: detect OS -oA: output all formats and store in file initial --max-retries: number of port scan probe retransmissions
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.76
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
2111/tcp filtered kx
4126/tcp filtered ddrepl
32769/tcp filtered filenet-rpc
49159/tcp filtered unknown
56738/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94SVN%I=7%D=1/4%Time=65975A7D%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x
SF:20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\
SF:x20\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\
SF:?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHEL
SF:P\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Wher
SF:e\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x
SF:20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\
SF:x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(
SF:SSLSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x2
SF:0\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x
SF:20\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/4%OT=79%CT=1%CU=41381%PV=Y%DS=2%DC=I%G=Y%TM=65975
OS:B08%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=7)S
OS:EQ(SP=108%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=7)SEQ(SP=108%GCD=1%ISR=108%TI=
OS:I%CI=I%II=I%SS=S%TS=7)OPS(O1=ST11M53ANW2%O2=ST11M53ANW2%O3=NNT11M53ANW2%
OS:O4=ST11M53ANW2%O5=ST11M53ANW2%O6=ST11M53A)WIN(W1=FB37%W2=FB37%W3=FA38%W4
OS:=FA3B%W5=FA3B%W6=FFF7)ECN(R=Y%DF=Y%T=3C%W=FAE0%O=M53ANNSNW2%CC=Y%Q=)T1(R
OS:=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3C%W=FA09%S=O%A=
OS:S+%F=AS%O=ST11M53ANW2%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIP
OS:CK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=FF%CD=S)We get back the following result showing that 2 ports are open: Port 79: running Sun Solaris fingerd Port 111: running rpcbind
— max-retries: number of port scan probe retransmissions
Then we run a more comprehensive scan to identify services running on the above ports.
We get back the following result showing that: Port 22022: is running SunSSH 1.3 Port 55029: is running a service that nmap was not able to identify
Enumeration: Port 79 TCP finger Sun Solaris
We’ll start off with enumerating port 79. A quick google search on the “Finger service” tells us that the finger protocol is used to find out information about users on a remote system. Therefore, we can use it to enumerate usernames.
First, check if there are any logged in users.
No one is currently logged in. Let’s check if the user “root” exists.
It does exist. Now, let’s enumerate more usernames. list of usernames that we can use in order to guess the usernames that are available on the server.
Pentestmonkey has a script that is used to enumerate OS-level user accounts via the finger service. Let’s run that on our host.
-U: file of usernames to check via finger service -t: server host running finger service
We get the following result showing us that “sammy” and “sunday” are users of the system.
Enumeration: Port ???? TCP SunSSH 1.3
User Shell: SSH As sunny Since SSH is open and we have two valid usernames, let’s try brute-forcing the users’ credentials using hydra. We’ll start off with Sunny.
-l: username -P: password file -s: port
We get back the following result showing us that Sunny’s password is “sunday”.
SSH into Sunny’s account.
We need to escalate our privileges to Sammy.
Privesc: sunny to sammy
Run the following command to view the list of allowed commands that the user can run with root privileges.
We can run the /root/troll command as root. This is obviously a custom command so let’s run it to see what it’s doing (we don’t have read access to it).
It seems to be a script that prints the id of the user running it. Since we ran it with the ‘sudo’ command, it prints the id of root. We don’t have write access to the script, so we can’t escalate our privileges using it. After a bit of digging, I found a backup file in the following directory.
It contains two files agen22.backup and shadow.backup. The former we don’t have access to, however, we can view the latter.
It’s a backup of the shadow file. We already know Sunny’s password so we’re not going to attempt to crack it. Instead, copy Sammy’s password and save it in the file sammy-hash.txt. Then use John to crack the hash.
We got a password! Let’s su into Sammy’s account.
Now we can view the user.txt flag.
Privesc: sammy to root
Let’s try to escalate to root privileges. Run the sudo command again to view the list of allowed commands the user can run as root.
We can run wget with root privileges! If you’re familiar with the “-i” flag in wget, you’ll know that we can use it to output the content of files. Therefore, we can run the following command to get the root flag.
However, in this scenario we’re simply reading the content of the flag and not really escalating privileges. To get a root shell we need to chain the following two vulnerabilities:
The user Sunny can execute the /root/troll file with root privileges, and
The user Sammy can overwrite any root owned file using the wget command.
Therefore, we’ll use Sammy’s sudo privileges to overwrite the /root/troll file and include a shell in it. Then we’ll use Sunny’s sudo privileges to run the /root/troll file and convert our shell to a root shell.
Alright, let’s do this! In the attack machine, create a file called “troll” and add the following code to it.
Then start up a simple Python server in the directory the file is in.
Go back the target machine running with the Sammy user privileges, and run the wget command to overwrite the /root/troll file.
In another SSH session running with the Sunny user privileges, execute the troll file.
Since we added a bash shell in the troll file and the troll file is being executed with root privilege, we get a root shell!
Note: Something on the server seems to be resetting the /root/troll file every couple of seconds, therefore you only have small window of time between overwriting the troll file as Sammy and executing the troll file as Sunny.
Last updated