Thursday, March 21, 2019



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Sunday, what is a retired machine from the Hack the Box pentesting platform:


- Sunday's IP is

- Scanning all ports with Nmap:

- Scanning deeply open ports we discover that Sunday is a Sun Solaris machine:

2.1 - Finger enumeration

- Let's focus our attention for now on port 79 where the service finger is running.

- There are a couple of ways of enumeration for finger usernames.

2.1.1 - finger-user-enum

- First, the Pearl script finger-user-enum:

- Once downloaded and extracted:

- Options and parameters for finger-user-enum:

- Using as wordlist the seclists file names.txt the script discovers the two users sammy and sunny:

2.1.2 - finger_users

- Second, the Metasploit module finger_users yields the same result:

2.2 - SSH enumeration

- Medusa discovers SSH password sunday for user sunny:


- Using credentials sunny:sunday to connect with SSH:

- However the SSH conection is rejected, so we need to specify the algorithm diffie-hellman-group1-sha1 for being successful:

- It is interesting to notice that user sunny has got some sudoer privileges to run the file /root/troll:

- Running /root/troll:

- Searching and listing for anything of interest:

- The directory /backup holds a backup of /etc/shadow:

- Also, /etc/passwd is accessible:

- Copying to Kali lines for user sammy and sunny:

- Unshadowing:

- Passing unshadowed file u to John The  Ripper we discover password cooldude! for user sammy:

- Now, connecting to SSH with user sammy gives same problem than before, what can be solved in the previous way:

- Again, we have a low privileged remote shell:

- User sammy has got also some sudoer privileges:


- There are different ways of privileges escalation, let's try 3 of them. 

- First, finding binaries with the SUID bit enabled:

- Let's pick up these two files:

4.1 - pfexec

- pfexec executes the command bash and the result is a root shell:

4.2 - Msfevnom

- Generating a payload:

- Transferring exploit.elf from Kali to Sunday and outputting to /usr/bin/rsh:

- Setting a Netcat listening session:

- Running /usr/bin/rsh a shell with euid=0(root) is achieved:

4.3 - wget --post-file

- The command wget allows the --post-file HTTP option, what sends the content of any file using the POST method:

- Setting a Netcat session at port 80:

- Sending /root/root.txt from Sunday to Kali:

- The root.txt flag shows up at Kali:


- Also, reading root.txt: