Hack The Box: Sunday

Written By 5h3r10ck

Synopsis: Sunday was an enumeration heavy box running on Sun OS by Sun Microsystems. It was difficult to establish all of the open ports which is important so you can identify services running on non-traditional ports. Once gaining a foothold identifying files and services with incorrect permissions and sensitive data is key. Doing this box again I would run linpeas to help identify files of interest instead of looking by hand/ with find.

Im not sure if its due to Sun OS but I had a hard time getting an accurate idea of what ports were open. It hammers home you should never take your tools output as gospel. It never hurts to run them again or with different switches. In this case finger (port 79) and ssh (port 22022) are of interest.

Im not sure if its due to Sun OS but I had a hard time getting an accurate idea of what ports were open. It hammers home you should never take your tools output as gospel. It never hurts to run them again or with different switches. In this case finger (port 79) and ssh (port 22022) are of interest.

Some googling tells us that “the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information” and a the tool finger-userenum can be used to enumerate users so lets give that a shot. LINK

Some googling tells us that “the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information” and a the tool finger-userenum can be used to enumerate users so lets give that a shot. LINK

get fingerenum.png
finger-user-enum is a standalone perl script so once we have it downloaded it was relatively straightforward to run. We find a bunch of different users we can potentially start attacking.

finger-user-enum is a standalone perl script so once we have it downloaded it was relatively straightforward to run. We find a bunch of different users we can potentially start attacking.

hydra.png
Running hydra is always worth a shot when you have a username and on the 1329th try it looks like we got in. Ive been using the 10,000 most common passwords list instead of rockyou lately because rock you takes forever due to its size and is filled with a lot of garbage. The list can be found here.

Running hydra is always worth a shot when you have a username and on the 1329th try it looks like we got in. Ive been using the 10,000 most common passwords list instead of rockyou lately because rock you takes forever due to its size and is filled with a lot of garbage. The list can be found here.

After poking around I found a backup if ./etc/shadow in the / directory. The next logical step is to grab them and put them through john.

After poking around I found a backup if ./etc/shadow in the / directory. The next logical step is to grab them and put them through john.

Got credentials for sammy now. Lets log in.

Got credentials for sammy now. Lets log in.

I had to do some googling and use find to locate user.txt. Sun OS is unique in its own right so it wasn’t in the usual place.

I had to do some googling and use find to locate user.txt. Sun OS is unique in its own right so it wasn’t in the usual place.

Checking what a given user has the ability to run as root is always the first thing I check. In this case its wget.

Checking what a given user has the ability to run as root is always the first thing I check. In this case its wget.

I found using wget to be the most straight forward way to read the flag. We don’t necessarily need to be root to get the root flag when we can read the file as sammy.

I found using wget to be the most straight forward way to read the flag. We don’t necessarily need to be root to get the root flag when we can read the file as sammy.

Capture.PNG
5h3r10ck
Previous

Hack The Box: Sense
Next

Hack The Box: Shocker