Sunday — HTB walkthrough

ENUMERATION

Nmap Scan

Service and Version scan

Fullport Scan

Port Wise Enumeration Service and Version Scan

FINGER ENUMERATION

When I got nothing, I thought of bruteforcing some usernames on finger using pentest-monkeys’ amazing script — — finger-user-enum-1.0.

from finger user enum I got two names

SSH ENUMERATION

This was a guesswork, trying box name as password worked.

Tried Sunny- Sunday worked

USER — SUNNY ENUMERATION

enumerating user sudo rights I found we can run script, as root.

Watching what happens on running /root/troll, I see it prints user id, nothing much. So I went for more enumeration and found a folder named backup containing backup for /etc/shadow.

cat /etc/shadow

cat /etc/passwd

Copy both the files to your machine and crack the password using john

first unshadow both the files to password.txt and then use john

Got passwords for both.

Now that we have got user password for sammy let’s SSH into his session

USER — SAMMY ENUMERATION

Getting user flag.

PRIVILEGE ESCALATION

Checking sudo rights of user sammy.

There are more than one ways of exploitation and escalating privileges using wget. I have discussed only two. Let’s see them one by one.

1. using — input-file flag

[1] https://www.gnu.org/software/wget/manual/wget.html

Why not call an internal file named root.txt from internal link /root/

2) exploit any user binary file,

What if I say calling /usr/bin/passwd, won’t change the password, instead it is meant to give you shell. We are here using trivial way of exploitation, i.e. changing definition of what file do by modifying it’s contents. We will create a malicious payload i.e. a reverse shell python code and wget it such that we save it’s output to output file /usr/bin/passwd.

on our machine

Wget the file and save it under /usr/bin/ as passwd

Call command passwd and see magic on netcat on your machine

Don’t forget your root flag

ROOTED!!!!