Sunday CTF: My Great Vacation
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Sunday CTF from HackTheBox. The writeup takes the form of a detailed pentest report.
Sunday CTF
Sunday CTF is a fairly simple machine, however it uses fairly old software and can be a bit unpredictable at times. It mainly focuses on exploiting the Finger service as well as the use of weak credentials.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.
Independent Challenge – 10.10.10.76
IP Address | Ports Open |
---|---|
10.10.10.76 | TCP: 79, 111, 515, 6787, 22022 |
--max-retries 0
flag. Command: nmap -T4 -oN nmap-all -vv -p- --max-retries 0 10.10.10.76
Username Enumeration - Finger
Vulnerability Explanation: Behind Security successfully enumerated valid users on the system by exploiting the finger service running on port 79/TCP.
Vulnerability Fix: Disable or restrict access to the finger service's port.
Severity: Medium
Steps to Reproduce the Attack: An attacker can use a Metasploit module to enumerate users via the finger service with a wordlist. Notably, sammy and sunny are distinct users, with the others being common default users for various aspects of the system. To confirm, the command finger [email protected]
revealed that sammy logged in on Apr 13, 2022, via an ssh tty shell. The same information was obtained using finger [email protected]
. The configuration for the metasploit module is provided below.
Initial Access - Login Bruteforce via SSH
Vulnerability Explanation: With two valid system users, Behind Security performed a login brute-force attack against the ssh service on port 22022/TCP, successfully retrieving the password for the user sunny.
Vulnerability Fix: Implement stronger security measures, such as using SSH keys instead of passwords or implementing an account lockout system after a certain number of failed login attempts.
Severity: High
Steps to Reproduce the Attack: Behind Security saved the usernames discovered previously (sammy and sunny) to a file named "users.txt" (newline-separated) and performed the brute-force attack using the tool "hydra" using the "rockyou" wordlist. The command used was: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.10.10.76 ssh -s 22022 -V -f -u
Post Exploitation
Privilege Escalation - Sammy
Vulnerability Explanation: Further enumeration led to successful lateral movement due to an unprotected backup file located at /backup/shadow.backup
. This file contained the hashed password of the user "sammy", which was easily cracked using the "hashcat" tool.
Vulnerability Fix: Enforce strong password policies for all users and ensure proper protection of backup files.
Severity: High
Steps to Reproduce the Attack: Behind Security used hashcat for windows, that enables the possibility to crack hashes using the GPU instead of the CPU. This is a faster and recommended way to crack hashes, but you can also crack the hash using johntheripper (or even hashcat) directly from a Kali Linux VM. Save the hash to a text file and execute hashcat (windows): hashcat.exe -d 1 -a 0 -m 7400 hash.txt wordlists\rockyou.txt
.
Privilege Escalation - root
Vulnerability Explanation: The user "sammy" has the capability to run wget
as root, creating a significant security flaw. A straightforward sequence of commands is all that's required to escalate privileges to root. More information on this privilege escalation technique can be found here.
Vulnerability Fix: Reconsider the permissions of the user "sammy".
Severity: Critical
Steps to Reproduce the Attack: Logged in as "sammy", execute the commands below.
Conclusion
Sunday CTF was an intriguing machine, despite the performance issues encountered during the pentesting process. The experience of lateral movement before gaining root access was great. One valuable takeaway from this challenge was the discovery of a new technique to optimize nmap scans by limiting its maximum retries. I never used it before.
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing BehindSecurity, we hope to see you again soon!