It's been a while since I've had any free time to devote to Hack the Box recently as life has been getting in the way as well as working my way through the newly released AWAE course from Offensive Security. But I finally found a few spare moments to brush off some of the cobwebs and have a go at the machine, Lightweight.

Enumeration

As always, we begin with our trusty nmap scan.

nmap -sC -sV -p- -oA scan 10.10.10.119

Not too many services here, so lets start with HTTP.

Browsing to the IP gives us nothing so add the hostname lightweight.htb to /etc/hosts.

Browsing the various links gives us some interesting info. After making a HTTP request to the user page, the system will have created us an ssh login where the username and password is just our IP - so we can just ssh straight to the server after visiting that page.

No user flag yet though - that would be too easy.

Looking in the home directory, we see a couple of users using plain IP addresses as usernames (such as our own), but there's another couple in there that look interesting, ldapuser1, and ldpauser2.

So as we can see from our initial nmap scan that the LDAP port is open, perhaps the website uses ldap for authentication? And seeing as it is a plain text protocol, maybe we can capture some of the traffic.

tcpdump -i lo port 389 -w capture.pcap

In order to actually generate some traffic, whilst tcpdump is listening, browse through the website pages - the status one seems to take a long time for no real reason so we'll start there.

Once you have some traffic captures, copy file back to our Kali box and open it in wireshark, and then filter by ldap.

That authentication line looks interesting.

SSH credentials are not linux credentials however so we can't ssh in using this new password. We can just su though.

Our new home folder has a file in there called backup.7z (and the first flag) so download it and let's take a look.

As we do not have ssh credentials for the ldapuser2 we can get the file another way.

cat backup.7z | base64

We can then copy and paste the base64 encoded string to a file on our machine, and then decode it back into 7zip format.

cat encoded | base64 --decode > backup.7z

Then try to unzip it.

7z x backup.7z

Password protected. Bugger.

Cracking

But we can write a little bash script to utilise John The Ripper to crack the password - or we can use some google-fu and find one already written for us ;)

https://gist.github.com/bcoles/421cc413d07cd9ba7855

echo "7zip-JTR Decrypt Script";
if [ $# -ne 2 ]
then
  echo "Usage $0 <7z file> <wordlist>";
  exit;
fi
7z l $1

echo "Generating wordlist..."
john --wordlist="$2" --rules --stdout | while read i
do
  echo -ne "\rTrying \"$i\" " 
  7z x -p$i $1 -aoa 2>/dev/null
  STATUS=$?
  if [ $STATUS -eq 0 ]; then
    echo -e "\rArchive password is: \"$i\"" 
    break
  fi
done

And in fairly short order, it finds the password and decrypts the file for us.

The archive seems to contain a backup of the source files for the website we browsed earlier.

Taking a look at the source for the status.php file, gives us the password to another user, ldapuser1.

Using that we can make use of su again.

Further Enumeration

Our new home directory has some interesting binaries in it, openssl and tcpdump.

Through our enumeration when looking for interesting files, when we look at files with special capabilities, one of our binaries shows up with something interesting.

getcap -r / 2>/dev/null

The =ep privilege is special. It’s essentially blank, but what this actually means is that if you call it from the right location, then it will inherit the permissions of where it is called from ... so if you run it from the root directory, then you inherit everything!

So we can abuse this to read (or write) files we should not have access to.

Privilege Escalation

First we generate some certificates:

cd /tmp
~/openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Accept all the default options, then once generated we can use openssl to start a HTTP server.

cd /
~/openssl s_server -key /tmp/key.pem -cert /tmp/cert.pem -port 1337 -HTTP

Then using another shell, we can get the root flag.

We use the -k flag to ignore any SSL errors.

Now we could stop here, or we could go for a root shell.

Stretch Goal - root shell

Using the same HTTP server exploit above, we can read the /etc/shadow file and copy the contents to a temporary file.

Then we can generate a new root password.

mkpasswd  -m sha-512 -S saltsalt -s

Enter your chosen password, then replace the password section of the shadow file for the root user with your new hashed password.

Then we encrypt our temporary shadow file.

openssl smime -encrypt -aes256 -in /tmp/shadow -binary -outform DER -out /tmp/shadow.enc /tmp/cert.pem

Now we overwrite the existing shadow file.

cd /
~/openssl smime -decrypt -in /tmp/shadow.enc -inform DER -inkey /tmp/key.pem -out /etc/shadow

Then we simply su root, enter our new password and a root shell is ours.