Hack The Box :: Sunday

Careless sudo permissions

Run nmap, looks like finger is open that can be used to do some recon.

Also running a service scan tells that SSH is running on non standard port.

Running the finger-user-enum script gives us some interesting results. User sunny seems promising.

Brute forcing this user on port 22022 gives the password.

Looking around the directories give us hash of user sammy.

Cracking that didn't take much time using rockyou

And we get the user flag!

Looking at the sudo permissions tells us that sammy can run wget as root. Lets try to send the shadow file to a remote web server that we control and crack the hash for root.

But that hash didn't give any results using rockyou. So instead lets replace /root/troll as you might have already noticed that user sunny can run that path as root.

And then switch to user sunny and wallahh we get root!!!