Sunday — HTB walkthrough

Nmap Scan

Service and Version scan
Fullport Scan
Port Wise Enumeration Service and Version Scan


When I got nothing, I thought of bruteforcing some usernames on finger using pentest-monkeys’ amazing script — — finger-user-enum-1.0.

from finger user enum I got two names


This was a guesswork, trying box name as password worked.

Tried Sunny- Sunday worked


enumerating user sudo rights I found we can run script, as root.

Watching what happens on running /root/troll, I see it prints user id, nothing much. So I went for more enumeration and found a folder named backup containing backup for /etc/shadow.

cat /etc/shadow
cat /etc/passwd

Copy both the files to your machine and crack the password using john

first unshadow both the files to password.txt and then use john
Got passwords for both.

Now that we have got user password for sammy let’s SSH into his session


Getting user flag.

Checking sudo rights of user sammy.

There are more than one ways of exploitation and escalating privileges using wget. I have discussed only two. Let’s see them one by one.

  1. using — input-file flag

Why not call an internal file named root.txt from internal link /root/

2) exploit any user binary file,

What if I say calling /usr/bin/passwd, won’t change the password, instead it is meant to give you shell. We are here using trivial way of exploitation, i.e. changing definition of what file do by modifying it’s contents. We will create a malicious payload i.e. a reverse shell python code and wget it such that we save it’s output to output file /usr/bin/passwd.

on our machine
Wget the file and save it under /usr/bin/ as passwd

Call command passwd and see magic on netcat on your machine

Don’t forget your root flag




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store