# Hackathon-OS ## NMAP ```bash PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Ubuntu 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.46 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEA | http-robots.txt: 6 disallowed entries |_/test/ /t3$t@123/ /includes/ /external/ /api/ /hashes/ |_http-server-header: Apache/2.4.46 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2 MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 1s | nbstat: NetBIOS name: FILESERVER, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | FILESERVER<00> Flags: | FILESERVER<03> Flags: | FILESERVER<20> Flags: | \x01\x02__MSBROWSE__\x02<01> Flags: ``` NMAP scan shows us 4 ports out which http and smb service looks interesting to us ## PORT 135/445 (SMB) We have three shares here out of which `shares` looks interesting

But we can see that we don't have read access to any of them so let's move on ! ## PORT 80 (HTTP) On the web server we can see a default apache page

Since we already know about `robots.txt` from the nmap scan we can just visit that file and see what entries we may find

None of these directories lead us to anywhere so let's fuzz for files and directories using `gobuster`

This is only returned us robots.txt so no files are on the server , let's go a step back and run `enum4linux-ng` to enumerate users through smb

This gave us the username `test` , if we remember from robots.txt file there was entry named `test` and `t3$t@123` so this maybe test user's password

## Foothold With this we logged into `shares` directory on smb and we see few files there

`HINT` file contains a username and a hash ``` clark:46a8047d5f9178c75aa6bf1090592427 ``` While `pass.txt` contains list of potential passwords so we need to crack the `clark`'s hash using the provided worlist , we can either use `hashcat` or `john` but I'll be using hashcat for cracking this md5 hash

So we got clark's password , now we need to ssh into the machine

This user isn't in sudoers group also isn't allowed to run any commands as other user so let's enumerate the machine to find other user folders

## Privilege Escalation (maker) Here we see `Deep.zip` which was not related to rooting for this box as it only contains a flag and we can get flag by just cracking this archive's password by using the previous password list , so moving on we see `.bash_history` that's important to look at what commands the user ran

## Rooting the box

After switching to `maker` we realize that this user is in `villan` group so let's see what files are owned by villan group

`/etc/passwd` file is owned by this group so this means that we can read/write to this file , let's verify this

All that is left to do is to add a hash in root's entry, you can do this by generating a password hash using `openssl` but I just copied my hash from `/etc/shadow` and just pasted there

And with this we rooted this fun, amazing , challenging , hard ,OP,hackathon,not a vulnhub copied box.