Sunday CTF is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.
Independent Challenge – 10.10.10.76
|IP Address||Ports Open|
|10.10.10.76||TCP: 79, 111, 515, 6787, 22022|
--max-retries 0flag. Command:
nmap -T4 -oN nmap-all -vv -p- --max-retries 0 10.10.10.76
Username Enumeration - Finger
Vulnerability Explanation: Behind Security successfully enumerated valid users on the system by exploiting the finger service running on port 79/TCP.
Vulnerability Fix: Disable or restrict access to the finger service's port.
Steps to Reproduce the Attack: An attacker can use a Metasploit module to enumerate users via the finger service with a wordlist. Notably, sammy and sunny are distinct users, with the others being common default users for various aspects of the system. To confirm, the command
finger [email protected] revealed that sammy logged in on Apr 13, 2022, via an ssh tty shell. The same information was obtained using
finger [email protected]. The configuration for the metasploit module is provided below.
Initial Access - Login Bruteforce via SSH
Vulnerability Explanation: With two valid system users, Behind Security performed a login brute-force attack against the ssh service on port 22022/TCP, successfully retrieving the password for the user sunny.
Vulnerability Fix: Implement stronger security measures, such as using SSH keys instead of passwords or implementing an account lockout system after a certain number of failed login attempts.
Steps to Reproduce the Attack: Behind Security saved the usernames discovered previously (sammy and sunny) to a file named "users.txt" (newline-separated) and performed the brute-force attack using the tool "hydra" using the "rockyou" wordlist. The command used was:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.76 ssh -s 22022 -V -f -u
Privilege Escalation - Sammy
Vulnerability Explanation: Further enumeration led to successful lateral movement due to an unprotected backup file located at
/backup/shadow.backup. This file contained the hashed password of the user "sammy", which was easily cracked using the "hashcat" tool.
Vulnerability Fix: Enforce strong password policies for all users and ensure proper protection of backup files.
Steps to Reproduce the Attack: Behind Security used hashcat for windows, that enables the possibility to crack hashes using the GPU instead of the CPU. This is a faster and recommended way to crack hashes, but you can also crack the hash using johntheripper (or even hashcat) directly from a Kali Linux VM. Save the hash to a text file and execute hashcat (windows):
hashcat.exe -d 1 -a 0 -m 7400 hash.txt wordlists\rockyou.txt.
Privilege Escalation - root
Vulnerability Explanation: The user "sammy" has the capability to run
wget as root, creating a significant security flaw. A straightforward sequence of commands is all that's required to escalate privileges to root. More information on this privilege escalation technique can be found here.
Vulnerability Fix: Reconsider the permissions of the user "sammy".
Steps to Reproduce the Attack: Logged in as "sammy", execute the commands below.
Sunday CTF was an intriguing machine, despite the performance issues encountered during the pentesting process. The experience of lateral movement before gaining root access was great. One valuable takeaway from this challenge was the discovery of a new technique to optimize nmap scans by limiting its maximum retries. I never used it before.
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing BehindSecurity, we hope to see you again soon!