Between the last box (Legacy) and this one, I wasn’t too thrilled. This box was very fun but for some reason my connection was marred by lag and high latency and it made the whole experience more difficult than it had to be.

I liked this box because it exploited a service that was unknown to me (finger) and has had a hidden ssh port that if you didn’t enumerate properly you would definitely miss! It also involved a littler CTF-trickery in figuring out the password.

How it helps me study for the OSCP:

1. Enumerate all ports!
2. Don’t freak out over unknown services
3. Passwords (root:root; boxname:boxname; etc.)

Walkthrough

Sunday is located at 10.10.10.76

Our initial nmap scan:

And see that SSH is running on port 22022.

The next steps here are to enumerate the finger service with a script from pentestmonkey that essentailly shows us what users are / have logged on to the machine. I don’t have screenshots here because my box was buggy and kept crashing but I found out there were two users. sunny & sammy.

I ssh’d in as sunny using sunday (boxname) as the password and it worked.

When I tried to ssh in, it stated I needed a key. Here’s the fix:

From here I can pull a backup shadow file off and crack sammy’s password. For privesc I overwrote a world writeable script that had root privileges and placed my reverse shell in there for complete success as root.

Sorry for the lack of screenshots! I’ve done this box multiple times and the last time I did it it was acting up!