HTB – Sunday

Between the last box (Legacy) and this one, I wasn’t too thrilled. This box was very fun but for some reason my connection was marred by lag and high latency and it made the whole experience more difficult than it had to be.

I liked this box because it exploited a service that was unknown to me (finger) and has had a hidden ssh port that if you didn’t enumerate properly you would definitely miss! It also involved a littler CTF-trickery in figuring out the password.

How it helps me study for the OSCP:

  1. Enumerate all ports!
  2. Don’t freak out over unknown services
  3. Passwords (root:root; boxname:boxname; etc.)


Sunday is located at

Our initial nmap scan:

Now with all my boxes I always run this scan first followed by a more in depth all ports scan. This is my tactic for enuemration as it allows me to get a head start on certain things while the rest gets sorted out.
And look at that! 3 more “interesting ports”. We take a deeper dive in with nmap:

And see that SSH is running on port 22022.

The next steps here are to enumerate the finger service with a script from pentestmonkey that essentailly shows us what users are / have logged on to the machine. I don’t have screenshots here because my box was buggy and kept crashing but I found out there were two users. sunny & sammy.

I ssh’d in as sunny using sunday (boxname) as the password and it worked.

When I tried to ssh in, it stated I needed a key. Here’s the fix:

From here I can pull a backup shadow file off and crack sammy’s password. For privesc I overwrote a world writeable script that had root privileges and placed my reverse shell in there for complete success as root.

Sorry for the lack of screenshots! I’ve done this box multiple times and the last time I did it it was acting up!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: