This is a write-up for the recently retired Sunday machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

Unlike many systems on Hack the Box, Sunday was extremely annoying. This is because we have to guess our way through almost the whole system in order to get root, meaning that there is very little that we can actually work out. Furthermore, escalating to root was far too simple when compared to getting the initial user shell. That being said, getting the user shell was basically just learning how to use a service, as opposed to actually exploiting anything. Regardless, I think that the box was good practice, and was still worth doing.

PART ONE: USER

An initial nmap scan revealed only two open ports, but we will find one more later on:

After some brief research, I discovered that the finger service is used on Solaris systems to display information about local/remote users, and rpcbind is used to ‘convert RPC program numbers into universal addresses’ — however the latter isn’t important.

Fortunately, we can view all currently connected accounts like so:

From here, we have to find a way to login to the system. After tearing my hair out for a couple of hours, I manually went through a common SSH port list, and eventually stumbled across port 22022. A more intensive nmap scan would have likely found this too, anyway.

We can validate this port by attempting to connect to it:

Since we have no indication of a password, we can try and brute-force the SSH with the following command:

hydra -V -I -l sunny -P '/usr/share/wordlists/rockyou.txt' 10.10.10.76 ssh -s 22022

Click here to view a breakdown of what this command does.

Eventually, we find the password:

It didn’t take too long, and it turns out that the password was just “sunday”, which we probably could have guessed.

From here, we can log in and look for the user flag:

Weirdly enough, it doesn’t seem to be in that directory at all. We can then search in other user’s directories as shown:

We can see here that the flag belongs to the user Sammy, so we should just be able to read it from there.

Oh.

PART TWO: PRIVILEGE ESCALATION

We now know that we need to find a way to get into sammy’s account.

As usual, I went over to see if there were any hashes/passwords left in the /etc/passwd file, but everything seemed normal there.

As part of my regular privilege escaltion routine, I ran sudo -l to view what commands I could execute with root privileges:

This looks interesting. Eventually, whilst browsing through the system, I found a backup file, which contained the missing hashes:

I then fired up john and prepared to crack Sammy’s hash:

This attempts all passwords in the rockyou.txt wordlist, against the hash in the ‘file named ‘sammyhash’.

Before too long, we found the password “cooldude!”. With that, we can log in as Sammy and obtain the user flag!

Now its just a matter of getting to root. Running sudo -l as Sammy reveals that we can use wget with root permissions, which means that we could probably overwrite other files:

Since sunny can run a file as root, and Sammy can overwrite any file, it seems like a good plan to overwrite the /root/troll file as something more useful.

In order to do so, I wrote a simple file containing only “cat /root/root.txt”, and served it via a Python SimpleHTTPServer:

As shown, running the script as Sunday goes from being useless to being helpful: