Sunday CTF: My Great Vacation

Sunday CTF: My Great Vacation

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Sunday CTF from HackTheBox. The writeup takes the form of a detailed pentest report.

Sunday CTF Icon

Sunday CTF

Sunday CTF is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Independent Challenge – 10.10.10.76

IP AddressPorts Open
10.10.10.76TCP: 79, 111, 515, 6787, 22022
Nmap scan output
During the initial service enumeration, Behind Security noticed that the machine's performance was poor, and it frequently crashed. To speed up the process, an nmap scan was conducted with the --max-retries 0 flag. Command: nmap -T4 -oN nmap-all -vv -p- --max-retries 0 10.10.10.76

Username Enumeration - Finger

Vulnerability Explanation: Behind Security successfully enumerated valid users on the system by exploiting the finger service running on port 79/TCP.

Vulnerability Fix: Disable or restrict access to the finger service's port.

Severity: Medium

Steps to Reproduce the Attack: An attacker can use a Metasploit module to enumerate users via the finger service with a wordlist. Notably, sammy and sunny are distinct users, with the others being common default users for various aspects of the system. To confirm, the command finger [email protected] revealed that sammy logged in on Apr 13, 2022, via an ssh tty shell. The same information was obtained using finger [email protected]. The configuration for the metasploit module is provided below.

Configuration and output for the metasploit module

Initial Access - Login Bruteforce via SSH

Vulnerability Explanation: With two valid system users, Behind Security performed a login brute-force attack against the ssh service on port 22022/TCP, successfully retrieving the password for the user sunny.

Vulnerability Fix: Implement stronger security measures, such as using SSH keys instead of passwords or implementing an account lockout system after a certain number of failed login attempts.

Severity: High

Steps to Reproduce the Attack: Behind Security saved the usernames discovered previously (sammy and sunny) to a file named "users.txt" (newline-separated) and performed the brute-force attack using the tool "hydra" using the "rockyou" wordlist. The command used was: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.76 ssh -s 22022 -V -f -u

Success on bruteforcing sunny's password

Post Exploitation

Privilege Escalation - Sammy

Vulnerability Explanation: Further enumeration led to successful lateral movement due to an unprotected backup file located at /backup/shadow.backup. This file contained the hashed password of the user "sammy", which was easily cracked using the "hashcat" tool.

Vulnerability Fix: Enforce strong password policies for all users and ensure proper protection of backup files.

Severity: High

Steps to Reproduce the Attack: Behind Security used hashcat for windows, that enables the possibility to crack hashes using the GPU instead of the CPU. This is a faster and recommended way to crack hashes, but you can also crack the hash using johntheripper (or even hashcat) directly from a Kali Linux VM. Save the hash to a text file and execute hashcat (windows): hashcat.exe -d 1 -a 0 -m 7400 hash.txt wordlists\rockyou.txt.

Hashcat output

Privilege Escalation - root

Vulnerability Explanation: The user "sammy" has the capability to run wget as root, creating a significant security flaw. A straightforward sequence of commands is all that's required to escalate privileges to root. More information on this privilege escalation technique can be found here.

Vulnerability Fix: Reconsider the permissions of the user "sammy".

Severity: Critical

Steps to Reproduce the Attack: Logged in as "sammy", execute the commands below.

Conclusion

Sunday CTF was an intriguing machine, despite the performance issues encountered during the pentesting process. The experience of lateral movement before gaining root access was great. One valuable takeaway from this challenge was the discovery of a new technique to optimize nmap scans by limiting its maximum retries. I never used it before. 

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing BehindSecurity, we hope to see you again soon!

Scroll to Top